Analysis
-
max time kernel
124s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 04:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe
-
Size
100KB
-
MD5
3864b6aa8799ea329390572a21068d4f
-
SHA1
b96194979e36cc3b346206cda74d168e93d88d57
-
SHA256
e8954e969e203de287d9d8c033c2a30493ef8ebd0795b4e837de9aeb1901d15e
-
SHA512
58d9225a4bac1890ded79f456b0926ef9c96b07f2d359eb518f269240a50b86821ec897c6d9792c05c7b92fb65bcced3f05af08eb59b209e722f161f7e0d7e75
-
SSDEEP
1536:Fbb9EpYNADxFOhPuLDF/yhf3/m6wkeEKJ8xIJzzKD2Pn7gU2nBWofto/A:Ff9EpSmFRDFg/e/xlJzzcQ7gUcBWofW
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\L: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\O: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\S: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\T: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\U: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\G: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\N: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\Q: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\W: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\E: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\I: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\X: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\Y: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\R: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\Z: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\H: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\J: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\K: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\M: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened (read-only) \??\P: 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened for modification C:\autorun.inf 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2468-1-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-2-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-4-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-7-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-9-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-8-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-11-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-10-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-6-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-5-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-12-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-13-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-28-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-30-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-29-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-32-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-33-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-34-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-37-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-38-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-40-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-41-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-43-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-60-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-63-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-65-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-68-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx behavioral1/memory/2468-74-0x0000000001DD0000-0x0000000002E5E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe Token: SeDebugPrivilege 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 PID 2468 wrote to memory of 1116 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 19 PID 2468 wrote to memory of 1168 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 20 PID 2468 wrote to memory of 1204 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 21 PID 2468 wrote to memory of 1636 2468 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3864b6aa8799ea329390572a21068d4f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD57bbf85514cd730bf1c9a2000051804b7
SHA1400de38d80a8117a8bccf7e6ab6cf0e24c6ad443
SHA2569ca573caca2e307cbb75334bfc18ede18907d2ce44e7da61fb26b458bb62c194
SHA512b96c41e079a540bc489a0bf9440b58673ae265e3cbbcfdfeccdb2a1cf20f6fad681d3e244d45973903848c3a52c7474b6a641c09201f36e80035a060cda93fe6