Analysis
-
max time kernel
30s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe
-
Size
456KB
-
MD5
cfd583eafd7c23ee4ef7fae16fc0a609
-
SHA1
a25406e46e5e752bb470e03b004aad0ccdf493d6
-
SHA256
e2a3e67369a4258608572dcd0efe8addf7a9f564c42377601dabfe56ea72c868
-
SHA512
c00e66fc2a6b9e3236113de5d6b43d867c18f3cf5fea3f096051d932d1cd2643d5dc7679beb87aa2781518ade75526adb3ae9c97042f6b63b7d1f5fb24e8c9a1
-
SSDEEP
3072:+gL7MsikeybdzaOgHzhq/LWNLHbQabhrR7plu:+Nsikeigw+j7R9lu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" sysdll.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" sysdll.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysdll.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" sysdll.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2804 sysdll.exe -
Executes dropped EXE 1 IoCs
pid Process 2804 sysdll.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysdll.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysdll.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: sysdll.exe File opened (read-only) \??\I: sysdll.exe File opened (read-only) \??\J: sysdll.exe File opened (read-only) \??\K: sysdll.exe File opened (read-only) \??\L: sysdll.exe File opened (read-only) \??\M: sysdll.exe File opened (read-only) \??\E: sysdll.exe File opened (read-only) \??\G: sysdll.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysdll.exe cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/5012-1-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-3-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-6-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-9-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-20-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-4-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-21-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-5-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-22-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-36-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/5012-44-0x0000000002BD0000-0x0000000003C5E000-memory.dmp upx behavioral2/memory/2804-52-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-54-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-60-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-55-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-59-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-61-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-64-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-62-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-58-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-66-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-65-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-67-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-68-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-69-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-71-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-72-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-73-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-74-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-76-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-79-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-81-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-82-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-84-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-85-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-87-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-89-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-97-0x0000000003140000-0x00000000041CE000-memory.dmp upx behavioral2/memory/2804-100-0x0000000003140000-0x00000000041CE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysdll.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2804 sysdll.exe 2804 sysdll.exe 2804 sysdll.exe 2804 sysdll.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Token: SeDebugPrivilege 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 2804 sysdll.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 5012 wrote to memory of 780 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 8 PID 5012 wrote to memory of 776 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 9 PID 5012 wrote to memory of 60 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 13 PID 5012 wrote to memory of 2924 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 49 PID 5012 wrote to memory of 748 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 52 PID 5012 wrote to memory of 3148 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 53 PID 5012 wrote to memory of 3496 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 56 PID 5012 wrote to memory of 3616 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 57 PID 5012 wrote to memory of 3792 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 58 PID 5012 wrote to memory of 3884 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 59 PID 5012 wrote to memory of 3948 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 60 PID 5012 wrote to memory of 4036 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 61 PID 5012 wrote to memory of 3160 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 62 PID 5012 wrote to memory of 1660 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 75 PID 5012 wrote to memory of 1272 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 76 PID 5012 wrote to memory of 1620 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 81 PID 5012 wrote to memory of 2804 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 83 PID 5012 wrote to memory of 2804 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 83 PID 5012 wrote to memory of 2804 5012 cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe 83 PID 2804 wrote to memory of 780 2804 sysdll.exe 8 PID 2804 wrote to memory of 776 2804 sysdll.exe 9 PID 2804 wrote to memory of 60 2804 sysdll.exe 13 PID 2804 wrote to memory of 2924 2804 sysdll.exe 49 PID 2804 wrote to memory of 748 2804 sysdll.exe 52 PID 2804 wrote to memory of 3148 2804 sysdll.exe 53 PID 2804 wrote to memory of 3496 2804 sysdll.exe 56 PID 2804 wrote to memory of 3616 2804 sysdll.exe 57 PID 2804 wrote to memory of 3792 2804 sysdll.exe 58 PID 2804 wrote to memory of 3884 2804 sysdll.exe 59 PID 2804 wrote to memory of 3948 2804 sysdll.exe 60 PID 2804 wrote to memory of 4036 2804 sysdll.exe 61 PID 2804 wrote to memory of 3160 2804 sysdll.exe 62 PID 2804 wrote to memory of 1660 2804 sysdll.exe 75 PID 2804 wrote to memory of 1272 2804 sysdll.exe 76 PID 2804 wrote to memory of 780 2804 sysdll.exe 8 PID 2804 wrote to memory of 776 2804 sysdll.exe 9 PID 2804 wrote to memory of 60 2804 sysdll.exe 13 PID 2804 wrote to memory of 2924 2804 sysdll.exe 49 PID 2804 wrote to memory of 748 2804 sysdll.exe 52 PID 2804 wrote to memory of 3148 2804 sysdll.exe 53 PID 2804 wrote to memory of 3496 2804 sysdll.exe 56 PID 2804 wrote to memory of 3616 2804 sysdll.exe 57 PID 2804 wrote to memory of 3792 2804 sysdll.exe 58 PID 2804 wrote to memory of 3884 2804 sysdll.exe 59 PID 2804 wrote to memory of 3948 2804 sysdll.exe 60 PID 2804 wrote to memory of 4036 2804 sysdll.exe 61 PID 2804 wrote to memory of 3160 2804 sysdll.exe 62 PID 2804 wrote to memory of 1660 2804 sysdll.exe 75 PID 2804 wrote to memory of 1272 2804 sysdll.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysdll.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:748
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3148
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cfd583eafd7c23ee4ef7fae16fc0a609_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5012 -
C:\Windows\SysWOW64\sysdll.exe"C:\Windows\System32\sysdll.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3160
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1272
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1620
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:976
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5763a5b7006028c33ec5e2c5c25707eb2
SHA16f5a50445c154270884dcfb1310aa1cf26f2517d
SHA2561cb486d42260c016efa04c891936c09b5a91bf5e5d0e0c407614f39ea10faf43
SHA512c85f32c5a5f5cf4dcd77302cb4e3986b0661b8dc0f11d6277174a8f893a3d527695cc77d376921c07994ef9e2d8869927fa07d976712d4fa834eecb8ad797fa6
-
Filesize
21B
MD5bb82c11a38bf6583cd4d542081470540
SHA1f3f29edb045b24967094cbad62696bfc858c6114
SHA256c308ca6ffa259b1e84a60190a50d354920347fcd80ea2e4eff36fb782a13ab2c
SHA512370f376ca992f67d0e4e76f422d139b4cb236139eac15d18e35f9fc797e0cd5819783d5358fa46c88e39ee0ebaeb698a29f40265132fd03a6237a29d7a0cf54a
-
Filesize
100KB
MD58e37db2841619b803d629b228ddc0c47
SHA1a81353ba11d9692f6bfd567c2c18f7f2055a91e3
SHA2565b3a71a48a29dd5419336221e66fca16efa25f65041dd0c788c4835ffe9769a8
SHA512c29452e70e0ea776aa8fc39389d2aa06138fc01d8f6304272e590afd1da405e068ff3417c6d95878d3699dd51016bd9e53cd2555e8fa5792152ac74f6b7d68ae
-
Filesize
456KB
MD5cfd583eafd7c23ee4ef7fae16fc0a609
SHA1a25406e46e5e752bb470e03b004aad0ccdf493d6
SHA256e2a3e67369a4258608572dcd0efe8addf7a9f564c42377601dabfe56ea72c868
SHA512c00e66fc2a6b9e3236113de5d6b43d867c18f3cf5fea3f096051d932d1cd2643d5dc7679beb87aa2781518ade75526adb3ae9c97042f6b63b7d1f5fb24e8c9a1