Analysis
-
max time kernel
24s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
26 signatures
150 seconds
General
-
Target
d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe
-
Size
192KB
-
MD5
d36ed88abe380278cd12c2ccc2a6f25f
-
SHA1
49065e3f54be96b4ce4a25dcada33c22300b16ef
-
SHA256
39af6234948f20547216f1809c248e6830310bbf0f7191b4e6993d23d3d316a1
-
SHA512
91a1192af2b41497aaf4b16f801ff30e5faacc71f96ba65085755f6749f70239d422013d7493447b9f7d2e6e6a14d9c019c06d66cbbb1f480ca0bf5d09557374
-
SSDEEP
3072:oacmXJfdXVC7vs2nc4jiktNasb0hl2rAag4IPfp:obedld2c4jCA0f0Mfp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" services.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" winlogon.exe -
Deletes itself 1 IoCs
pid Process 1716 winlogon.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\index.pif smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\index.pif smss.exe -
Executes dropped EXE 5 IoCs
pid Process 1324 smss.exe 1716 winlogon.exe 1660 services.exe 2184 lsass.exe 1544 inetinfo.exe -
Loads dropped DLL 10 IoCs
pid Process 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 1324 smss.exe 1324 smss.exe 1324 smss.exe 1324 smss.exe 1324 smss.exe 1324 smss.exe 1324 smss.exe 1324 smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andrian-PKus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Joseray_World = "\"C:\\Windows\\INF\\esoJray.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Joseray_World = "\"C:\\Windows\\INF\\esoJray.exe\"" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Joseray_World = "\"C:\\Windows\\INF\\esoJray.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andrian-PKus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Joseray_World = "\"C:\\Windows\\INF\\esoJray.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andrian-PKus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Joseray_World = "\"C:\\Windows\\INF\\esoJray.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andrian-PKus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Joseray_World = "\"C:\\Windows\\INF\\esoJray.exe\"" inetinfo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andrian-PKus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andrian-PKus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" inetinfo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\E: d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File opened (read-only) \??\G: d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File opened (read-only) \??\H: d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\I: d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File opened (read-only) \??\J: d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\2D Animation.scr smss.exe File opened for modification C:\Windows\SysWOW64\2D Animation.scr smss.exe -
resource yara_rule behavioral1/memory/3056-2-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-7-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-5-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-6-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-9-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-12-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-13-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-11-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-8-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-41-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-42-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-43-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-45-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-44-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/1324-86-0x0000000003CA0000-0x0000000003CD1000-memory.dmp upx behavioral1/memory/3056-113-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-115-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-136-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-155-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-170-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/3056-191-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/1716-198-0x00000000031F0000-0x000000000427E000-memory.dmp upx behavioral1/memory/1716-197-0x00000000031F0000-0x000000000427E000-memory.dmp upx behavioral1/memory/1716-196-0x00000000031F0000-0x000000000427E000-memory.dmp upx behavioral1/memory/1716-194-0x00000000031F0000-0x000000000427E000-memory.dmp upx behavioral1/memory/1716-195-0x00000000031F0000-0x000000000427E000-memory.dmp upx behavioral1/memory/1716-192-0x00000000031F0000-0x000000000427E000-memory.dmp upx -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\INF\esoJray.exe inetinfo.exe File opened for modification C:\Windows\SYSTEM.INI d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File created C:\Windows\INF\esoJray.exe d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File opened for modification C:\Windows\INF\esoJray.exe d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe File opened for modification C:\Windows\INF\esoJray.exe smss.exe File opened for modification C:\Windows\INF\esoJray.exe winlogon.exe File opened for modification C:\Windows\INF\esoJray.exe services.exe File opened for modification C:\Windows\INF\esoJray.exe lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inetinfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 1716 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe Token: SeDebugPrivilege 1716 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 1324 smss.exe 1716 winlogon.exe 1660 services.exe 2184 lsass.exe 1544 inetinfo.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1108 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 19 PID 3056 wrote to memory of 1168 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 20 PID 3056 wrote to memory of 1204 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 21 PID 3056 wrote to memory of 1488 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 25 PID 3056 wrote to memory of 2596 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 30 PID 3056 wrote to memory of 2596 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 30 PID 3056 wrote to memory of 2596 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 30 PID 3056 wrote to memory of 2596 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 30 PID 3056 wrote to memory of 1324 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 32 PID 3056 wrote to memory of 1324 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 32 PID 3056 wrote to memory of 1324 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 32 PID 3056 wrote to memory of 1324 3056 d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe 32 PID 1324 wrote to memory of 1716 1324 smss.exe 33 PID 1324 wrote to memory of 1716 1324 smss.exe 33 PID 1324 wrote to memory of 1716 1324 smss.exe 33 PID 1324 wrote to memory of 1716 1324 smss.exe 33 PID 1324 wrote to memory of 2760 1324 smss.exe 34 PID 1324 wrote to memory of 2760 1324 smss.exe 34 PID 1324 wrote to memory of 2760 1324 smss.exe 34 PID 1324 wrote to memory of 2760 1324 smss.exe 34 PID 1324 wrote to memory of 1644 1324 smss.exe 36 PID 1324 wrote to memory of 1644 1324 smss.exe 36 PID 1324 wrote to memory of 1644 1324 smss.exe 36 PID 1324 wrote to memory of 1644 1324 smss.exe 36 PID 1324 wrote to memory of 1660 1324 smss.exe 37 PID 1324 wrote to memory of 1660 1324 smss.exe 37 PID 1324 wrote to memory of 1660 1324 smss.exe 37 PID 1324 wrote to memory of 1660 1324 smss.exe 37 PID 1324 wrote to memory of 2184 1324 smss.exe 39 PID 1324 wrote to memory of 2184 1324 smss.exe 39 PID 1324 wrote to memory of 2184 1324 smss.exe 39 PID 1324 wrote to memory of 2184 1324 smss.exe 39 PID 1324 wrote to memory of 1544 1324 smss.exe 40 PID 1324 wrote to memory of 1544 1324 smss.exe 40 PID 1324 wrote to memory of 1544 1324 smss.exe 40 PID 1324 wrote to memory of 1544 1324 smss.exe 40 PID 1716 wrote to memory of 1108 1716 winlogon.exe 19 PID 1716 wrote to memory of 1168 1716 winlogon.exe 20 PID 1716 wrote to memory of 1204 1716 winlogon.exe 21 PID 1716 wrote to memory of 1488 1716 winlogon.exe 25 PID 1716 wrote to memory of 1660 1716 winlogon.exe 37 PID 1716 wrote to memory of 1660 1716 winlogon.exe 37 PID 1716 wrote to memory of 2184 1716 winlogon.exe 39 PID 1716 wrote to memory of 2184 1716 winlogon.exe 39 PID 1716 wrote to memory of 1544 1716 winlogon.exe 40 PID 1716 wrote to memory of 1544 1716 winlogon.exe 40 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d36ed88abe380278cd12c2ccc2a6f25f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2596
-
-
C:\Users\Admin\AppData\Local\smss.exeC:\Users\Admin\AppData\Local\smss.exe3⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1716
-
-
C:\Windows\SysWOW64\at.exeat /delete /y4⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Windows\SysWOW64\at.exeat 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\A.yaresoJ.com"4⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Users\Admin\AppData\Local\services.exeC:\Users\Admin\AppData\Local\services.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1660
-
-
C:\Users\Admin\AppData\Local\lsass.exeC:\Users\Admin\AppData\Local\lsass.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2184
-
-
C:\Users\Admin\AppData\Local\inetinfo.exeC:\Users\Admin\AppData\Local\inetinfo.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1488
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
192KB
MD5d36ed88abe380278cd12c2ccc2a6f25f
SHA149065e3f54be96b4ce4a25dcada33c22300b16ef
SHA25639af6234948f20547216f1809c248e6830310bbf0f7191b4e6993d23d3d316a1
SHA51291a1192af2b41497aaf4b16f801ff30e5faacc71f96ba65085755f6749f70239d422013d7493447b9f7d2e6e6a14d9c019c06d66cbbb1f480ca0bf5d09557374
-
Filesize
257B
MD52ecf4d5993d5c28aea24df1b3ef489c4
SHA1e6c34e535508cb8ba3a29c9e213e15b6b2c5c4e9
SHA256c93f5a4b35055e5ce146671fc44dbbc6123fd3026814dfb2b8eb9f9de17bb1ad
SHA512d967886dce03679bbcace5bb34ccc4a8d5b5d8306913e1a04f7047393c6cafc13fd593fb2608e0ac5ba1c0f242c6f1b2736d4512e307389957faed019ef6abbf