Analysis
-
max time kernel
23s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 03:59
Behavioral task
behavioral1
Sample
a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
General
-
Target
a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe
-
Size
4.6MB
-
MD5
a5c993b58253e0a4ce783c0ac17ce484
-
SHA1
23eb0429016a479f990a1db1f48e66adee765d22
-
SHA256
aacce8c7e3e53c47a0830c4bc3a30b7e3d584010453665c9d46cf1de7b870b3f
-
SHA512
644de74dd2fb33a6e1cbd2bde8bca5c03620ab4f4d1f6008d85e76846d5f7b35f4d282c461a7e9e053006a078ff18e4e91938d83b7c83a6343e79975d7cb59b2
-
SSDEEP
98304:6Ulr4veVzbSJljtFUd6+3lsgL0cxJYWUTYdMSrZ7cp:vUvOz2Jljtq0+1v3xUToWp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 2 IoCs
resource yara_rule behavioral1/files/0x0001000000010314-12.dat family_neshta behavioral1/memory/3028-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\G: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\G: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\H: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\I: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\J: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\K: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\H: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\E: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2740-17-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-16-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-27-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-19-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-29-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-28-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-18-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-15-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-53-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-54-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-30-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-103-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-66-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-107-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-144-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-167-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-216-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2740-333-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/3028-358-0x0000000003030000-0x00000000040BE000-memory.dmp upx behavioral1/memory/3028-355-0x0000000003030000-0x00000000040BE000-memory.dmp upx behavioral1/memory/3028-353-0x0000000003030000-0x00000000040BE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2740 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2740 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2740 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 30 PID 3028 wrote to memory of 2740 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 30 PID 2740 wrote to memory of 1120 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 19 PID 2740 wrote to memory of 1172 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 20 PID 2740 wrote to memory of 1216 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 21 PID 2740 wrote to memory of 836 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 23 PID 2740 wrote to memory of 3028 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 29 PID 2740 wrote to memory of 3028 2740 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 29 PID 3028 wrote to memory of 1120 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 19 PID 3028 wrote to memory of 1172 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 20 PID 3028 wrote to memory of 1216 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 21 PID 3028 wrote to memory of 836 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 23 PID 3028 wrote to memory of 1120 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 19 PID 3028 wrote to memory of 1172 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 20 PID 3028 wrote to memory of 1216 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 21 PID 3028 wrote to memory of 836 3028 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\3582-490\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:836
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
4.5MB
MD53b0816f52f746ebf1dd47e740e0a4b7f
SHA1cfba462a6a55b4ed034e25509580f5b59ae8276d
SHA2560208474404d467aeaaded47aede764f0e41f922bf17ffbdf6d12ea080296bb93
SHA5125223f6d7003a38f91d5a48442fc522eb31ab23672eda7f3462d94592f83a46d53057c2c920ccb51e57a65c3041c172c2dcc34237572b7be273a96b4cc4e5f96b
-
Filesize
257B
MD59d31a51a935f05f0946a93e1fad805fb
SHA12c184c2942396c73109b32c4fd6f0d0bec09b79a
SHA256d9f565b95a85925ff81e4c171357e00ba81519e7c34aff4e91cb4b9eaea79175
SHA5121f76a693cfa4b1f548193362c6a25a5762c603ac6fd49a5efe2f8ce3290c4654ef8ff6a3eaee90cf3b8226215d915fb45106e05eb91f37682515cb3daeedb65f
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
4.6MB
MD5aa7b81283aba57ca419cebab25705121
SHA1ad3f26958ac6c5579d410577f6d77cd7637907ec
SHA256f0a909dbe7d8eb762c4cb5063468b3bbee2c8624860fcdbfeadce89edbec7c86
SHA512e94a02e983cb97b5ff9688257cfef149c1f01daefe2aa95ba1f853a28e0a59459c585f640c3ac3ff40de9d08e473eeeeb5408b4d9999ee14af1c5974256c0de7