sality | 08131f143bb96f0cd77981f3b0f9ccefec2b4cdc2b0b35f7b2618d4473d978e6

Analysis

max time kernel
145s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Size

615KB
MD5

ff02090f6ffee0c663e0ffb9af4ead08
SHA1

9752ff6838dd149c496d2f0e83a52a5966789834
SHA256

08131f143bb96f0cd77981f3b0f9ccefec2b4cdc2b0b35f7b2618d4473d978e6
SHA512

621754d66327672309d12c35b86062e579c6d004db16a3ad26de36651d1a9735d12e9d85ff6629c7ea7b48072b36aca3027229d452eeba8152cc4bf8340e5331
SSDEEP

12288:4wp5BPtw9eMgUBmW5KnCcetYGmfjrtilztP3MgUNmW5BKtYGqfjEn3Ym:4wVC97B9yCceKGm7xN95sKGq7En3Ym

Score

10^/10

sality backdoor discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4000	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	Setup64.exe

Loads dropped DLL 4 IoCs

pid	Process
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1172-6-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-3-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-10-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-17-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-33-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-136-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-139-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-142-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-143-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-160-0x00000000023F0000-0x0000000003420000-memory.dmp	upx
behavioral2/memory/1172-172-0x00000000023F0000-0x0000000003420000-memory.dmp	upx

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File created	C:\Program Files (x86)\Feitian\ROCKEY200\WEB CLIENT NETWORK\e58d906	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File created	C:\Program Files (x86)\Feitian\ROCKEY200\Setup64.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File created	C:\Program Files (x86)\Feitian\ROCKEY200\MICROSOFT TERMINAL SERVICES\e5840bd	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File created	C:\Program Files (x86)\Feitian\ROCKEY200\MICROSOFT WINDOWS NETWORK\e5884fa	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
File created	C:\Windows\Testry5_install_vis_GD_merger.cxx	Setup64.exe
File created	C:\Windows\Testry5_install_vis_GD_merger.cxx.e	Setup64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
Token: SeDebugPrivilege	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 772	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	8
PID 1172 wrote to memory of 776	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	9
PID 1172 wrote to memory of 332	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	13
PID 1172 wrote to memory of 2628	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	50
PID 1172 wrote to memory of 612	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	51
PID 1172 wrote to memory of 3144	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	52
PID 1172 wrote to memory of 3472	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	56
PID 1172 wrote to memory of 3600	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	57
PID 1172 wrote to memory of 3788	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	58
PID 1172 wrote to memory of 3884	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	59
PID 1172 wrote to memory of 3952	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	60
PID 1172 wrote to memory of 4032	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	61
PID 1172 wrote to memory of 4104	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	62
PID 1172 wrote to memory of 2352	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	64
PID 1172 wrote to memory of 4120	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	76
PID 1172 wrote to memory of 4000	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	82
PID 1172 wrote to memory of 4000	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	82
PID 1172 wrote to memory of 4000	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	82
PID 1172 wrote to memory of 5012	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	84
PID 1172 wrote to memory of 5012	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	84
PID 1172 wrote to memory of 772	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	8
PID 1172 wrote to memory of 776	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	9
PID 1172 wrote to memory of 332	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	13
PID 1172 wrote to memory of 2628	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	50
PID 1172 wrote to memory of 612	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	51
PID 1172 wrote to memory of 3144	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	52
PID 1172 wrote to memory of 3472	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	56
PID 1172 wrote to memory of 3600	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	57
PID 1172 wrote to memory of 3788	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	58
PID 1172 wrote to memory of 3884	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	59
PID 1172 wrote to memory of 3952	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	60
PID 1172 wrote to memory of 4032	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	61
PID 1172 wrote to memory of 4104	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	62
PID 1172 wrote to memory of 2352	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	64
PID 1172 wrote to memory of 4120	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	76
PID 1172 wrote to memory of 772	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	8
PID 1172 wrote to memory of 776	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	9
PID 1172 wrote to memory of 332	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	13
PID 1172 wrote to memory of 2628	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	50
PID 1172 wrote to memory of 612	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	51
PID 1172 wrote to memory of 3144	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	52
PID 1172 wrote to memory of 3472	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	56
PID 1172 wrote to memory of 3600	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	57
PID 1172 wrote to memory of 3788	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	58
PID 1172 wrote to memory of 3884	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	59
PID 1172 wrote to memory of 3952	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	60
PID 1172 wrote to memory of 4032	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	61
PID 1172 wrote to memory of 4104	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	62
PID 1172 wrote to memory of 2352	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	64
PID 1172 wrote to memory of 4120	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	76
PID 1172 wrote to memory of 772	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	8
PID 1172 wrote to memory of 776	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	9
PID 1172 wrote to memory of 332	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	13
PID 1172 wrote to memory of 2628	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	50
PID 1172 wrote to memory of 612	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	51
PID 1172 wrote to memory of 3144	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	52
PID 1172 wrote to memory of 3472	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	56
PID 1172 wrote to memory of 3600	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	57
PID 1172 wrote to memory of 3788	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	58
PID 1172 wrote to memory of 3884	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	59
PID 1172 wrote to memory of 3952	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	60
PID 1172 wrote to memory of 4032	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	61
PID 1172 wrote to memory of 4104	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	62
PID 1172 wrote to memory of 2352	1172	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe	64

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:612

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ff02090f6ffee0c663e0ffb9af4ead08_JaffaCakes118.exe"
  2⤵
  - UAC bypass
  - Disables RegEdit via registry modification
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1172
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4000
- - C:\Program Files (x86)\Feitian\ROCKEY200\Setup64.exe
    "Setup64.exe" /ishaveinst/B5DD8C72-B63B-4ee1-A023-FD13A8FE8F42_Rockey200051221
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5012
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4584
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Feitian\ROCKEY200\Setup64.exe

Filesize
489KB

MD5
67970f766f50acb40b71adc44a3f942e

SHA1
c0208a34bae19787d694cc93ed6bb40d684fc184

SHA256
2ad42a3b7fd1fdb5ebfd84680e5c7c7cae4890b7ed985b98bd6f123255500c9e

SHA512
278f0e53d0f34d742ef62091abe2301dca3b98216fd7094425cdeb8052d08314dbd520c96735b74dd5c313b033c7f38b3e489048996346168edb635ba7a7d0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC5C2.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC5C2.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC5C2.tmp\UserInfo.dll

Filesize
4KB

MD5
1e8e11f465afdabe97f529705786b368

SHA1
ea42bed65df6618c5f5648567d81f3935e70a2a0

SHA256
7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b

SHA512
16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfC5C2.tmp\ioSpecial.ini

Filesize
717B

MD5
a9819f0f304cc8f54cec48435361d923

SHA1
634739a70d7672f57e57d6883948737fb0c0157e

SHA256
7d4a649a3bb4344a340b0367696bc2158b1caca83694375935d410bd5df830e2

SHA512
0e65ea1f84a629739b605fdea939e8a2dffc6bd1284d109d196eb3ae539ca0baf39ec5dbee11e980b090d728c7672f268e0083faaa22b7fdfaa7f1b79cc0c98b

Download Submit
memory/1064-177-0x00000000010F0000-0x0000000001107000-memory.dmp

Filesize
92KB

Download
memory/1064-176-0x00000000010F0000-0x0000000001107000-memory.dmp

Filesize
92KB

Download
memory/1172-33-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-136-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-9-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/1172-17-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-10-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1172-3-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-14-0x0000000003CE0000-0x0000000003CE2000-memory.dmp

Filesize
8KB

Download
memory/1172-133-0x0000000003CE0000-0x0000000003CE2000-memory.dmp

Filesize
8KB

Download
memory/1172-8-0x0000000003CE0000-0x0000000003CE2000-memory.dmp

Filesize
8KB

Download
memory/1172-139-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-142-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-143-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-160-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-172-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-13-0x0000000003CE0000-0x0000000003CE2000-memory.dmp

Filesize
8KB

Download
memory/1172-6-0x00000000023F0000-0x0000000003420000-memory.dmp

Filesize
16.2MB

Download
memory/1172-186-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3024-178-0x0000000000D30000-0x0000000000D47000-memory.dmp

Filesize
92KB

Download