Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 13:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
018e347071b70018319badca3244adde_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
22 signatures
150 seconds
General
-
Target
018e347071b70018319badca3244adde_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
018e347071b70018319badca3244adde
-
SHA1
6c6f4b8fb5786b2999c828e48b8d2cf7e20d2003
-
SHA256
32074376028158d1f6a2039496430d61785d0c262d87c6a0a9d0ecc64d385745
-
SHA512
167ecf494554b7665280184d21c75506aaa06fbbdd48395b88dfb9fbeda73a91a9a5ca5349ff302c83750cf57e09d65cfa814560ced3123bc7274f6c241a5f32
-
SSDEEP
49152:dKjQ9KgIzMsjwlqaDXtWMpib7XWO+Knxl9XFrY6VcVG57FYVP:sjQKgBDlqaDXtWMUu2e6OF
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 018e347071b70018319badca3244adde_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Loads dropped DLL 1 IoCs
pid Process 2524 java.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 018e347071b70018319badca3244adde_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\I: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\M: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\Q: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\R: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\V: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\W: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\N: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\O: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\T: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\U: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\Y: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\E: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\H: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\X: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\Z: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\J: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\K: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\L: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\P: 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened (read-only) \??\S: 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened for modification F:\autorun.inf 018e347071b70018319badca3244adde_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2412-1-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-4-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-7-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-9-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-8-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-10-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-6-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-12-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-11-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-31-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-30-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-33-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-37-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-36-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-47-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-49-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-54-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-63-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-98-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-131-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-133-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-134-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-137-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2412-138-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 018e347071b70018319badca3244adde_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Modifies registry class 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\RNDKEY-2198653995584078722 java.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rndkey-2198653995584078722 java.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe Token: SeDebugPrivilege 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2524 java.exe 2524 java.exe 2524 java.exe 2524 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 476 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 31 PID 2412 wrote to memory of 476 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 31 PID 2412 wrote to memory of 476 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 31 PID 2412 wrote to memory of 476 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 31 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 PID 2412 wrote to memory of 2524 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 33 PID 2412 wrote to memory of 2544 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 34 PID 2412 wrote to memory of 1104 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 19 PID 2412 wrote to memory of 1152 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 20 PID 2412 wrote to memory of 1184 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 21 PID 2412 wrote to memory of 1352 2412 018e347071b70018319badca3244adde_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 018e347071b70018319badca3244adde_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\018e347071b70018319badca3244adde_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\018e347071b70018319badca3244adde_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -classpath C:\Users\Admin\AppData\Local\Temp\\NBI95301.tmp TestJDK3⤵PID:476
-
-
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -Djava.io.tmpdir=C:\Users\Admin\AppData\Local\Temp\ -Xmx256m -Xms64m "-Dnbi.local.directory.path=C:\Documents and Settings\user\.nbi" -classpath C:\Users\Admin\AppData\Local\Temp\\NBI95301.tmp\uninstall.jar org.netbeans.installer.Installer --target nb-base 6.9.1.0.0 --force-uninstall3⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1352
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20981514661014199131-760564693-1386801008-4207574951186118271-1120444631761564898"1⤵PID:2544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658B
MD5661a3c008fab626001e903f46021aeac
SHA12bfef77dacaab66c7246d146bd8c200ca70953e4
SHA2568fd6ed9f2040706bef34722817729e2e99fbc00acd5de27fae2227f3a3644564
SHA5120661f836d055e94f24be186837a2f8dd44e34a5632a250eff443d8f95e4a9fbabcefbca1606f8e0b9927655860c0d0f3ba8b451351db5bd81a82912c6a5cdd33
-
Filesize
1.5MB
MD5ce5e9695721ee60a07930964fc91983c
SHA1444bce46ead33c5cd8532a462126a080fb45095c
SHA25679ec0701407ff96f39d3449af24e40aef70c2bd280c099f1f40709512fbd7141
SHA5126cb734ef919ba3d53169dd38c104f2e3a862ef15943f67d95188400b59fe94d1e462160bd4c18451c1c17fe1947e3c726dee4b1532a47ac903d45cbd8e88e632
-
Filesize
100KB
MD510f9ea096657208093a41216a9b598df
SHA1a0342c62b2de530326f70d7aa38e2cf871cbf055
SHA256a1f3903dcdde42877cb6a7a55fb72e125aa135db2d4b66b9176169ff21a28ce6
SHA5121d3f1f304542ba40dd87ba817cf5f45df6bb3778633e40cc296011dc540bda0c1bc523f2f7ac570883ba9b486c2f18fa1584c914d4d4fe1be23320ab1465c3d3
-
Filesize
19KB
MD51c56b6264905ad1e1a04d1c2bb445c77
SHA1fc15d4cfaf9b0b0a508543d22a3c9cab5a37cd14
SHA256e20654928a84c5b61bde154e33bdd845fac1ae8c852c1152d5608c5a15edd83a
SHA51274196770c0f487edef73a728ae65394bea9a1a30bdfad1ee690549ebcea407794be7aa4b646d5e963cf1ff4a0ceef383f4dcd3ad14967f5ef5d54a87343cb6de