Analysis
-
max time kernel
21s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe
-
Size
456KB
-
MD5
cfd583eafd7c23ee4ef7fae16fc0a609
-
SHA1
a25406e46e5e752bb470e03b004aad0ccdf493d6
-
SHA256
e2a3e67369a4258608572dcd0efe8addf7a9f564c42377601dabfe56ea72c868
-
SHA512
c00e66fc2a6b9e3236113de5d6b43d867c18f3cf5fea3f096051d932d1cd2643d5dc7679beb87aa2781518ade75526adb3ae9c97042f6b63b7d1f5fb24e8c9a1
-
SSDEEP
3072:+gL7MsikeybdzaOgHzhq/LWNLHbQabhrR7plu:+Nsikeigw+j7R9lu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" sysdll.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" sysdll.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" sysdll.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2556 sysdll.exe -
Executes dropped EXE 1 IoCs
pid Process 2556 sysdll.exe -
Loads dropped DLL 5 IoCs
pid Process 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" sysdll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc sysdll.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysdll.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: sysdll.exe File opened (read-only) \??\G: sysdll.exe File opened (read-only) \??\H: sysdll.exe File opened (read-only) \??\I: sysdll.exe File opened (read-only) \??\J: sysdll.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysdll.exe cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2708-1-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-14-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-9-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-16-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-17-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-15-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-13-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-12-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-18-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2708-64-0x00000000025B0000-0x000000000363E000-memory.dmp upx behavioral1/memory/2556-73-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-72-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-74-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-70-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-75-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-68-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-67-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-71-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-69-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-65-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-76-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-92-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-93-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-94-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-96-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-97-0x0000000003680000-0x000000000470E000-memory.dmp upx behavioral1/memory/2556-116-0x0000000003680000-0x000000000470E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Modifies registry class 27 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000002359da2a10204c6f63616c00380008000400efbe2359ac292359da2a2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 62003100000000008759fb0416004e4557464f4c7e3100004a0008000400efbe8759fb048759fb042a000000035d01000000070000000000000000000000000000004e0065007700200046006f006c006400650072002000280032002900000018000000 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000008759fb04102054656d700000360008000400efbe2359ac298759fb042a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000002359ac29122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe2359ac292359ac292a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2556 sysdll.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe Token: SeDebugPrivilege 2556 sysdll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2556 sysdll.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2708 wrote to memory of 1112 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 19 PID 2708 wrote to memory of 1164 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 20 PID 2708 wrote to memory of 1208 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 21 PID 2708 wrote to memory of 852 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 23 PID 2708 wrote to memory of 2556 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2556 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2556 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 30 PID 2708 wrote to memory of 2556 2708 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 30 PID 2556 wrote to memory of 1112 2556 sysdll.exe 19 PID 2556 wrote to memory of 1164 2556 sysdll.exe 20 PID 2556 wrote to memory of 1208 2556 sysdll.exe 21 PID 2556 wrote to memory of 852 2556 sysdll.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysdll.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Windows\SysWOW64\sysdll.exe"C:\Windows\System32\sysdll.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2556
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:852
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50f0e3912c07da11bdfb36f9adb22171c
SHA1db4772deb82b166b2e403ce8dd69899540c1d9db
SHA256a4f5e1ca0557714fe9d7ed63d08288d22f5b9b8ef82f2d597e267f371d85cca2
SHA512651731f0ba901f84591ee65708009fcc3535c772a26ec1a555af18073da31eda29768a3f7c89665236ab8e5eac911f47a79777c7bbc3b01bb82399076dc9bc15
-
Filesize
21B
MD5bb82c11a38bf6583cd4d542081470540
SHA1f3f29edb045b24967094cbad62696bfc858c6114
SHA256c308ca6ffa259b1e84a60190a50d354920347fcd80ea2e4eff36fb782a13ab2c
SHA512370f376ca992f67d0e4e76f422d139b4cb236139eac15d18e35f9fc797e0cd5819783d5358fa46c88e39ee0ebaeb698a29f40265132fd03a6237a29d7a0cf54a
-
Filesize
100KB
MD538f9af5660497a5000ab8bfca844352a
SHA15671051dc442bdafcbfdc7f1fb3f2b954d8955cc
SHA25663e6648e75b5960f914899ace4ba30b79baf9ddd08b61bf1347cdc6023f9aa44
SHA51225e6f5ba95b796767daffcc679440591640bea637b9b9b85e4de93b0b3e51a1a9b8241f4fa1334b5e9636dff1d2c9d0498d17893ae5685283e26defd50e66154
-
Filesize
456KB
MD5cfd583eafd7c23ee4ef7fae16fc0a609
SHA1a25406e46e5e752bb470e03b004aad0ccdf493d6
SHA256e2a3e67369a4258608572dcd0efe8addf7a9f564c42377601dabfe56ea72c868
SHA512c00e66fc2a6b9e3236113de5d6b43d867c18f3cf5fea3f096051d932d1cd2643d5dc7679beb87aa2781518ade75526adb3ae9c97042f6b63b7d1f5fb24e8c9a1