Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 21:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe
-
Size
226KB
-
MD5
d71ade5c60623d536289f4c276f530d9
-
SHA1
ba8517b57275e318764db077fc0620ce2aed3cb3
-
SHA256
e50ddca12e69a7532d4040a3798a304571e4161b6947663cd03a5680f796e60f
-
SHA512
2ee79fb1ef2b20607c4deaea208596bc0609c9091717e221160181f21ff3d9d8e006f631d777fdfca1bce125d9deb8422be96349907314c0145c708719abce24
-
SSDEEP
3072:0/yY0LkTUY3P5xvFhMS9UONzqNzwFpne2x7RpazbTrHwYiAUPUUEHwmNpl8spNLP:WyYjtr79+Gpe2jUzrzTOmN3xk8hb
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 3 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications wmpnp32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpnp32.exe = "C:\\Windows\\SysWOW64\\wmpnp32.exe:*:Enabled:Windows Network Core" wmpnp32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" wmpnp32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List wmpnp32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile wmpnp32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile wmpnp32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmpnp32.exe = "C:\\Windows\\SysWOW64\\wmpnp32.exe:*:Enabled:Windows Network Core" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" wmpnp32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications wmpnp32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wmpnp32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wmpnp32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3876 wmpnp32.exe -
Executes dropped EXE 2 IoCs
pid Process 3700 wmpnp32.exe 3876 wmpnp32.exe -
resource yara_rule behavioral2/memory/5012-3-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5012-1-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5012-7-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/3988-17-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3988-16-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3988-15-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3988-14-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3988-10-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/5012-6-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5012-5-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5012-4-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/3988-56-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3700-63-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-66-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-64-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-62-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-68-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-67-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-76-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-59-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3700-65-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/3876-82-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3988-87-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3876-88-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3876-89-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral2/memory/3876-90-0x0000000000400000-0x000000000044C000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wmpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" wmpnp32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Network Core = "C:\\Windows\\SysWOW64\\wmpnp32.exe" wmpnp32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wmpnp32.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum wmpnp32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 wmpnp32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wmpnp32.exe d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe File created C:\Windows\SysWOW64\wmpnp32.exe d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ wmpnp32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5012 set thread context of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 3700 set thread context of 3876 3700 wmpnp32.exe 94 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpnp32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 3700 wmpnp32.exe 3700 wmpnp32.exe 3876 wmpnp32.exe 3876 wmpnp32.exe 3876 wmpnp32.exe 3876 wmpnp32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Token: SeDebugPrivilege 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 5012 wrote to memory of 764 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 8 PID 5012 wrote to memory of 772 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 9 PID 5012 wrote to memory of 384 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 13 PID 5012 wrote to memory of 3048 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 50 PID 5012 wrote to memory of 2240 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 51 PID 5012 wrote to memory of 972 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 52 PID 5012 wrote to memory of 3372 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 55 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3988 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 83 PID 5012 wrote to memory of 3584 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 57 PID 5012 wrote to memory of 3788 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 58 PID 5012 wrote to memory of 3880 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 59 PID 5012 wrote to memory of 3940 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 60 PID 5012 wrote to memory of 4028 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 61 PID 5012 wrote to memory of 3696 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 62 PID 5012 wrote to memory of 3532 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 75 PID 5012 wrote to memory of 4072 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 76 PID 5012 wrote to memory of 1168 5012 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 81 PID 3988 wrote to memory of 3700 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 93 PID 3988 wrote to memory of 3700 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 93 PID 3988 wrote to memory of 3700 3988 d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe 93 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 3876 3700 wmpnp32.exe 94 PID 3700 wrote to memory of 764 3700 wmpnp32.exe 8 PID 3700 wrote to memory of 772 3700 wmpnp32.exe 9 PID 3700 wrote to memory of 384 3700 wmpnp32.exe 13 PID 3700 wrote to memory of 3048 3700 wmpnp32.exe 50 PID 3700 wrote to memory of 2240 3700 wmpnp32.exe 51 PID 3700 wrote to memory of 972 3700 wmpnp32.exe 52 PID 3700 wrote to memory of 3372 3700 wmpnp32.exe 55 PID 3700 wrote to memory of 3584 3700 wmpnp32.exe 57 PID 3700 wrote to memory of 3788 3700 wmpnp32.exe 58 PID 3700 wrote to memory of 3880 3700 wmpnp32.exe 59 PID 3700 wrote to memory of 3940 3700 wmpnp32.exe 60 PID 3700 wrote to memory of 4028 3700 wmpnp32.exe 61 PID 3700 wrote to memory of 3696 3700 wmpnp32.exe 62 PID 3876 wrote to memory of 3372 3876 wmpnp32.exe 55 PID 3876 wrote to memory of 3372 3876 wmpnp32.exe 55 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wmpnp32.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2240
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d71ade5c60623d536289f4c276f530d9_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\wmpnp32.exe"C:\Windows\SysWOW64\wmpnp32.exe" C:\Users\Admin\AppData\Local\Temp\D71ADE~1.EXE4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3700 -
C:\Windows\SysWOW64\wmpnp32.exe"C:\Windows\SysWOW64\wmpnp32.exe" C:\Users\Admin\AppData\Local\Temp\D71ADE~1.EXE5⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3532
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1168
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD55b6ad0de939d28b536ef84d64debec95
SHA105b7685c82354f85fa4801aeedf0446adc22322e
SHA2567fc8babcf620a841d92d0cb4bf57380db4ef8d5f722265c853f7ea41c11c2a86
SHA5128897985a51e627880b65d07fb30b7a64aa87bdd3466aee0ea24d0c8615ed44974f73ad1b3776d2b1688fb550817de29e1d5276f8afde4fbe658bff8539fae231
-
Filesize
226KB
MD5d71ade5c60623d536289f4c276f530d9
SHA1ba8517b57275e318764db077fc0620ce2aed3cb3
SHA256e50ddca12e69a7532d4040a3798a304571e4161b6947663cd03a5680f796e60f
SHA5122ee79fb1ef2b20607c4deaea208596bc0609c9091717e221160181f21ff3d9d8e006f631d777fdfca1bce125d9deb8422be96349907314c0145c708719abce24