Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 10:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe
-
Size
120KB
-
MD5
173b206d1fa2c8dbd20d5a37528cc141
-
SHA1
25ba39603c6b1f7b8c7a67b76266388fbd8e5616
-
SHA256
af8bab671376b74012af94d69871993c8d20fee7d762c83d9e200c997b236641
-
SHA512
5e7c5fb83eaf0a31e8a9dee473d727808bc9807178f125457e20d123b616ed1196a1f1b32d8f5fa9a73f3078b6ef711ecb224b6e1ed6c0156920b36e35cb36d3
-
SSDEEP
3072:99aLAJMReYjOr6++PGXFAFqsj4QEVGJs:7hMc6Dlj4ZG
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\U: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\Z: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\E: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\G: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\H: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\I: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\K: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\L: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\T: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\X: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\J: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\P: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\Q: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\S: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\V: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\N: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\O: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\R: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\W: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened (read-only) \??\Y: 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened for modification F:\autorun.inf 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2352-1-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-4-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-6-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-9-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-10-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-8-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-7-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-5-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-3-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-27-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-26-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-28-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-29-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-30-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-32-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-33-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-34-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-36-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-38-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-41-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-60-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-62-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-63-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-66-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2352-68-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe Token: SeDebugPrivilege 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 PID 2352 wrote to memory of 1052 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 17 PID 2352 wrote to memory of 1104 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 19 PID 2352 wrote to memory of 1184 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 21 PID 2352 wrote to memory of 884 2352 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1052
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\173b206d1fa2c8dbd20d5a37528cc141_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2352
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:884
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD52db8cd25a910ee18f5f125030deb6432
SHA18914d9bd5ac5c3549227c9879ad6839b993dba31
SHA256e2203d4897746c0703d4034fdcb097399fc7a7489ab0be7b786e551cd6d04426
SHA5127883248c91c809d7aeb4b81bc852d0a0176643ed79909b0c2b6abf01ee1482131af4251b7b71cb9ca2588d83ff6f2d2296d251251c146a0930176f4600057ac0