Analysis
-
max time kernel
122s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 06:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
17 signatures
150 seconds
General
-
Target
3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe
-
Size
100KB
-
MD5
3e4b983e96f36c9df616648be3ecc1a5
-
SHA1
f1cca76d841b421b9b38401c7c1165323b6b003e
-
SHA256
cff3ac04c77cce67e271092447a0985bdcea8e88f32370c99bd6e3133044bb3a
-
SHA512
1cf4a93b3f4073775bda1aebea2058e2c408bf9f07fd26f50e8e204b2b664fb63f26ee59e1fb0d5e772c76774c7552cf22862c91dcdf1b58cfc8346cbc256625
-
SSDEEP
1536:2FotvPH0vlEAMgZ7fx1xkvlVlVQQhiOAglwivvHBvUeIMzRX:Yotvv0ZVtfSvcOPAgL5PNX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\L: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\M: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\P: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\V: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\W: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\I: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\J: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\S: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\Y: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\Z: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\E: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\K: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\N: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\T: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\U: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\G: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\O: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\Q: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\R: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened (read-only) \??\X: 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\autorun.inf 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/968-1-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-4-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-8-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-7-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-9-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-3-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-13-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-14-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-12-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-15-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-16-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-17-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-18-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-19-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-21-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-23-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-25-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-26-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-28-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-29-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-32-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-34-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-37-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-38-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-40-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-42-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-49-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-51-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-50-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-52-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-54-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-55-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-58-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-60-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-63-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-64-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-65-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-66-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-68-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/968-70-0x0000000002180000-0x000000000320E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe Token: SeDebugPrivilege 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 968 wrote to memory of 780 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 8 PID 968 wrote to memory of 788 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 9 PID 968 wrote to memory of 316 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 13 PID 968 wrote to memory of 2860 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 49 PID 968 wrote to memory of 2936 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 50 PID 968 wrote to memory of 2988 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 51 PID 968 wrote to memory of 3380 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 56 PID 968 wrote to memory of 3536 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 57 PID 968 wrote to memory of 3736 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 58 PID 968 wrote to memory of 3832 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 59 PID 968 wrote to memory of 3908 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 60 PID 968 wrote to memory of 3992 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 61 PID 968 wrote to memory of 4176 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 62 PID 968 wrote to memory of 372 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 75 PID 968 wrote to memory of 3624 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 76 PID 968 wrote to memory of 3588 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 80 PID 968 wrote to memory of 2404 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 81 PID 968 wrote to memory of 780 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 8 PID 968 wrote to memory of 788 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 9 PID 968 wrote to memory of 316 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 13 PID 968 wrote to memory of 2860 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 49 PID 968 wrote to memory of 2936 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 50 PID 968 wrote to memory of 2988 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 51 PID 968 wrote to memory of 3380 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 56 PID 968 wrote to memory of 3536 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 57 PID 968 wrote to memory of 3736 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 58 PID 968 wrote to memory of 3832 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 59 PID 968 wrote to memory of 3908 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 60 PID 968 wrote to memory of 3992 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 61 PID 968 wrote to memory of 4176 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 62 PID 968 wrote to memory of 372 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 75 PID 968 wrote to memory of 3624 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 76 PID 968 wrote to memory of 3588 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 80 PID 968 wrote to memory of 2404 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 81 PID 968 wrote to memory of 1936 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 84 PID 968 wrote to memory of 684 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 85 PID 968 wrote to memory of 780 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 8 PID 968 wrote to memory of 788 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 9 PID 968 wrote to memory of 316 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 13 PID 968 wrote to memory of 2860 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 49 PID 968 wrote to memory of 2936 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 50 PID 968 wrote to memory of 2988 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 51 PID 968 wrote to memory of 3380 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 56 PID 968 wrote to memory of 3536 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 57 PID 968 wrote to memory of 3736 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 58 PID 968 wrote to memory of 3832 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 59 PID 968 wrote to memory of 3908 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 60 PID 968 wrote to memory of 3992 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 61 PID 968 wrote to memory of 4176 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 62 PID 968 wrote to memory of 372 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 75 PID 968 wrote to memory of 3624 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 76 PID 968 wrote to memory of 3588 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 80 PID 968 wrote to memory of 1936 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 84 PID 968 wrote to memory of 684 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 85 PID 968 wrote to memory of 780 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 8 PID 968 wrote to memory of 788 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 9 PID 968 wrote to memory of 316 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 13 PID 968 wrote to memory of 2860 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 49 PID 968 wrote to memory of 2936 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 50 PID 968 wrote to memory of 2988 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 51 PID 968 wrote to memory of 3380 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 56 PID 968 wrote to memory of 3536 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 57 PID 968 wrote to memory of 3736 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 58 PID 968 wrote to memory of 3832 968 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe 59 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2936
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2988
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e4b983e96f36c9df616648be3ecc1a5_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3624
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3588
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2404
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:684
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:996
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD51dd889845aed82b071609f5e0e62d5d0
SHA1239c5665f0c0fb0e5d6f1c9f77b069c656013fe8
SHA256d05852c1195ddbf314213c39010894cd5cee305b6bc973bb5307bca31bc4eae3
SHA512d67b2f54d8bddb5529ba59764dce37d720b75c6dc182efde3fda898e256b2f1d11708e324353264abf4a04aef2c01c58e552a344587844b5258e8491d539accd