Analysis
-
max time kernel
26s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 05:56
Behavioral task
behavioral1
Sample
2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe
-
Size
480KB
-
MD5
2c11b04be8bf8cb4b3b39bb144049bba
-
SHA1
11a72e3e277515c288b343980289915b0a939438
-
SHA256
c4efeb9f9354910eb7cbfa1ae90aac7726ae014a6371ffbf27af8612a5dd5e5f
-
SHA512
e3b5c768f77c28eb5148cf30561a205f6b29d8fb1fee93413fae693fd69047efe3e30c9bf9b01bbca3cd94cbd57e40ec0156df981d1c75f401d1e7ea230c7f88
-
SSDEEP
6144:k9yGK4EDyGaLquWiVAJvRmiaPd+avl+Lwedot3Aq8hqJrmfbWWK:ny2gq7VFDweuiRU0TWX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000020223-41.dat family_neshta behavioral2/memory/5040-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5040-164-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\J: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\K: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\L: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\E: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\G: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\H: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\I: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened (read-only) \??\M: 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3424-13-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-16-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-15-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-17-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-27-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-30-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-18-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-33-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-34-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-37-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-36-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-52-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-58-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-57-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/3424-65-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/5040-121-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-128-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-127-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-125-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-124-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-122-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-126-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-123-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-119-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-143-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-142-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-155-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-156-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-158-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-160-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-161-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-162-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-165-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-166-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-168-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-170-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx behavioral2/memory/5040-228-0x0000000003C60000-0x0000000004CEE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Token: SeDebugPrivilege 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 5040 wrote to memory of 3424 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 86 PID 5040 wrote to memory of 3424 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 86 PID 5040 wrote to memory of 3424 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 86 PID 3424 wrote to memory of 768 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 8 PID 3424 wrote to memory of 772 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 9 PID 3424 wrote to memory of 1020 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 13 PID 3424 wrote to memory of 2920 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 49 PID 3424 wrote to memory of 2960 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 50 PID 3424 wrote to memory of 2644 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 52 PID 3424 wrote to memory of 3432 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 56 PID 3424 wrote to memory of 3576 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 57 PID 3424 wrote to memory of 3768 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 58 PID 3424 wrote to memory of 3864 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 59 PID 3424 wrote to memory of 3952 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 60 PID 3424 wrote to memory of 4036 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 61 PID 3424 wrote to memory of 3468 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 62 PID 3424 wrote to memory of 4508 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 74 PID 3424 wrote to memory of 4024 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 76 PID 3424 wrote to memory of 3836 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 80 PID 3424 wrote to memory of 4988 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 81 PID 3424 wrote to memory of 5040 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 82 PID 3424 wrote to memory of 5040 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 82 PID 3424 wrote to memory of 3116 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 84 PID 3424 wrote to memory of 1708 3424 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 85 PID 5040 wrote to memory of 768 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 8 PID 5040 wrote to memory of 772 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 9 PID 5040 wrote to memory of 1020 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 13 PID 5040 wrote to memory of 2920 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 49 PID 5040 wrote to memory of 2960 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 50 PID 5040 wrote to memory of 2644 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 52 PID 5040 wrote to memory of 3432 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 56 PID 5040 wrote to memory of 3576 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 57 PID 5040 wrote to memory of 3768 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 58 PID 5040 wrote to memory of 3864 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 59 PID 5040 wrote to memory of 3952 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 60 PID 5040 wrote to memory of 4036 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 61 PID 5040 wrote to memory of 3468 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 62 PID 5040 wrote to memory of 4508 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 74 PID 5040 wrote to memory of 4024 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 76 PID 5040 wrote to memory of 3836 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 80 PID 5040 wrote to memory of 4988 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 81 PID 5040 wrote to memory of 3116 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 84 PID 5040 wrote to memory of 1708 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 85 PID 5040 wrote to memory of 768 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 8 PID 5040 wrote to memory of 772 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 9 PID 5040 wrote to memory of 1020 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 13 PID 5040 wrote to memory of 2920 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 49 PID 5040 wrote to memory of 2960 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 50 PID 5040 wrote to memory of 2644 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 52 PID 5040 wrote to memory of 3432 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 56 PID 5040 wrote to memory of 3576 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 57 PID 5040 wrote to memory of 3768 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 58 PID 5040 wrote to memory of 3864 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 59 PID 5040 wrote to memory of 3952 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 60 PID 5040 wrote to memory of 4036 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 61 PID 5040 wrote to memory of 3468 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 62 PID 5040 wrote to memory of 4508 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 74 PID 5040 wrote to memory of 4024 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 76 PID 5040 wrote to memory of 3836 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 80 PID 5040 wrote to memory of 3116 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 84 PID 5040 wrote to memory of 1708 5040 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2960
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2644
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2c11b04be8bf8cb4b3b39bb144049bba_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3424
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3468
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4508
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3836
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3116
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1708
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
364KB
MD56f58a1d8e7b031c6f2a60ba04d1a0b7d
SHA164ced7781de492d15f0d443faffd2d0244b43e56
SHA256b7a82904d92b096cb6ab537365f9c7f24b1ecefaa6ea7974c24e8102b1746f4b
SHA51281371904cbe4dd5062e9ede60c3a0429adcd8c7b62dcb5f45b122280d2e3fb5d1ddd4b0f109d972b919e67cde99636cdd952082cd74b567769211ea389a89912
-
Filesize
440KB
MD5673917ae89ec8828a3bdb6215b6f0453
SHA18d3190f2acbf38bb06d3dbc015590308ad544bf4
SHA2568f4a1f9d9d4962adcac98f74d8df302ac33a8ad11b2520dec0fd2201a629fed7
SHA512adedb168c20179e54ce114f7e41f8cf3e85cad6dbc6d1ce718c40d1d8149a393ee473329a0de52d911b173898896d680fbe8cd0c5ba0159376206ceea4481d16
-
Filesize
257B
MD5794162b3875e5694abd986f8b0f12959
SHA1d8b0da41384c5dc0f9a120a5d34576632ffe33ae
SHA256e5dbb588c4340e3bca0dddbb96f287a7c22e3026ec75b7ebb8e3edfa452fbfee
SHA5126035cfca2f8306b0525d128658f6f30f055d7bad7a0db3724dd51bd165b96db077e1522b141a383ec5731f152b85c72f1a50624923d89f49d16a7d416ebd9a97