Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 14:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe
-
Size
608KB
-
MD5
c3117d09ed3c2fb16ba53ba61242b322
-
SHA1
a683a5dbdc0fc6796bd2f37aacdf31d857ab9b4e
-
SHA256
153aaf0b7cdf6d905cd853155d8fb3d00e16bbbc7a5efc8f2393735d3c207c27
-
SHA512
01da29effe699035a3aa43ed5a8de0c863044bd8c2961e770a622837bbab357776f81b7b0e2dbe35f1668d511223041d64f043b84dece2364aa5dd39a4b95d77
-
SSDEEP
6144:rthOfjZXluQA/qNgSr5oK4cN76VaAa9aVEvW0QSK3LuilKa31b:HYjTVxNgSFD1L9aVEnK7ga31b
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3308 netsh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3776-1-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-5-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-3-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-15-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-16-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-28-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-29-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-30-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-33-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-35-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-37-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-40-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-50-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-52-0x00000000024B0000-0x00000000034E1000-memory.dmp upx behavioral2/memory/3776-68-0x00000000024B0000-0x00000000034E1000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3} c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ = "Telefon Çeviricisi Belgesi" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C3117D~1.EXE" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Dialer c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dialer\ = "dialer.chm" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TelefonÇeviricisi.Belge\ = "Telefon Çeviricisi Belgesi" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ProgID c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\LocalServer32 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TelefonÇeviricisi.Belge\CLSID c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TelefonÇeviricisi.Belge\CLSID\ = "{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\InprocHandler32 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\InprocHandler32\ = "ole32.dll" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TelefonÇeviricisi.Belge c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0D7A956-3C0B-11D1-B4F9-00C04FC98AD3}\ProgID\ = "TelefonÇeviricisi.Belge" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe Token: SeDebugPrivilege 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3776 wrote to memory of 792 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 8 PID 3776 wrote to memory of 788 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 9 PID 3776 wrote to memory of 420 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 13 PID 3776 wrote to memory of 2580 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 43 PID 3776 wrote to memory of 2624 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 45 PID 3776 wrote to memory of 2848 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 47 PID 3776 wrote to memory of 3584 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 56 PID 3776 wrote to memory of 3692 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 57 PID 3776 wrote to memory of 3876 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 58 PID 3776 wrote to memory of 3968 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 59 PID 3776 wrote to memory of 4072 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 60 PID 3776 wrote to memory of 1356 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 61 PID 3776 wrote to memory of 4000 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 62 PID 3776 wrote to memory of 2224 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 64 PID 3776 wrote to memory of 2336 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 76 PID 3776 wrote to memory of 3308 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 82 PID 3776 wrote to memory of 3308 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 82 PID 3776 wrote to memory of 3308 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 82 PID 3776 wrote to memory of 792 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 8 PID 3776 wrote to memory of 788 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 9 PID 3776 wrote to memory of 420 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 13 PID 3776 wrote to memory of 2580 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 43 PID 3776 wrote to memory of 2624 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 45 PID 3776 wrote to memory of 2848 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 47 PID 3776 wrote to memory of 3584 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 56 PID 3776 wrote to memory of 3692 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 57 PID 3776 wrote to memory of 3876 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 58 PID 3776 wrote to memory of 3968 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 59 PID 3776 wrote to memory of 4072 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 60 PID 3776 wrote to memory of 1356 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 61 PID 3776 wrote to memory of 4000 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 62 PID 3776 wrote to memory of 2224 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 64 PID 3776 wrote to memory of 2336 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 76 PID 3776 wrote to memory of 792 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 8 PID 3776 wrote to memory of 788 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 9 PID 3776 wrote to memory of 420 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 13 PID 3776 wrote to memory of 2580 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 43 PID 3776 wrote to memory of 2624 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 45 PID 3776 wrote to memory of 2848 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 47 PID 3776 wrote to memory of 3584 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 56 PID 3776 wrote to memory of 3692 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 57 PID 3776 wrote to memory of 3876 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 58 PID 3776 wrote to memory of 3968 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 59 PID 3776 wrote to memory of 4072 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 60 PID 3776 wrote to memory of 1356 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 61 PID 3776 wrote to memory of 4000 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 62 PID 3776 wrote to memory of 2224 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 64 PID 3776 wrote to memory of 2336 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 76 PID 3776 wrote to memory of 792 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 8 PID 3776 wrote to memory of 788 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 9 PID 3776 wrote to memory of 420 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 13 PID 3776 wrote to memory of 2580 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 43 PID 3776 wrote to memory of 2624 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 45 PID 3776 wrote to memory of 2848 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 47 PID 3776 wrote to memory of 3584 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 56 PID 3776 wrote to memory of 3692 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 57 PID 3776 wrote to memory of 3876 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 58 PID 3776 wrote to memory of 3968 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 59 PID 3776 wrote to memory of 4072 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 60 PID 3776 wrote to memory of 1356 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 61 PID 3776 wrote to memory of 4000 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 62 PID 3776 wrote to memory of 2224 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 64 PID 3776 wrote to memory of 2336 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 76 PID 3776 wrote to memory of 792 3776 c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe 8 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:420
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2624
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c3117d09ed3c2fb16ba53ba61242b322_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3308
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1356
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2224
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
4