Analysis
-
max time kernel
117s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 07:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe
-
Size
71KB
-
MD5
d60139db2a6d23c965fbc6f844d58d44
-
SHA1
af5ddffc0f6f3433332ceac8ada9ab7906e65729
-
SHA256
ab50c7a6412399a127f6df559d85bdb7de4e5969611d83b4110d766953082ff0
-
SHA512
89f16264493c78659b25b74d3e93b421985ca809f62eeedb1d6c25f997212341997ea2edbf886667a9b263b189252aa11c5f40daab472e7ebda850feb0b255b0
-
SSDEEP
1536:hRBqjWBXxJzH18U1q+xAe90GoAlQuCHOagmuI/Fw:hTq6BjzH18NDW0GoAlQbHOjmuui
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578d9a.exe -
Executes dropped EXE 1 IoCs
pid Process 3716 e578d9a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578d9a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578d9a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d9a.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e578d9a.exe File opened (read-only) \??\P: e578d9a.exe File opened (read-only) \??\N: e578d9a.exe File opened (read-only) \??\O: e578d9a.exe File opened (read-only) \??\Q: e578d9a.exe File opened (read-only) \??\R: e578d9a.exe File opened (read-only) \??\G: e578d9a.exe File opened (read-only) \??\I: e578d9a.exe File opened (read-only) \??\K: e578d9a.exe File opened (read-only) \??\M: e578d9a.exe File opened (read-only) \??\T: e578d9a.exe File opened (read-only) \??\W: e578d9a.exe File opened (read-only) \??\Y: e578d9a.exe File opened (read-only) \??\V: e578d9a.exe File opened (read-only) \??\Z: e578d9a.exe File opened (read-only) \??\E: e578d9a.exe File opened (read-only) \??\J: e578d9a.exe File opened (read-only) \??\S: e578d9a.exe File opened (read-only) \??\U: e578d9a.exe File opened (read-only) \??\L: e578d9a.exe File opened (read-only) \??\X: e578d9a.exe File opened (read-only) \??\E: d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf e578d9a.exe File opened for modification F:\autorun.inf e578d9a.exe -
resource yara_rule behavioral2/memory/3716-18-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-19-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-29-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-30-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-34-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-31-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-20-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-13-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-12-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-23-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-35-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-36-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-37-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-38-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-39-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-41-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-42-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-43-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-45-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-46-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-48-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-49-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-52-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-54-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-57-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-58-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-61-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-64-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-65-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-66-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-68-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-72-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-74-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-81-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-82-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-83-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-85-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/3716-117-0x0000000002250000-0x000000000330A000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe e578d9a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe e578d9a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe e578d9a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe e578d9a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe e578d9a.exe File opened for modification C:\Program Files\7-Zip\7z.exe e578d9a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e578d9a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e578d9a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe e578d9a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe e578d9a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e578d9a.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI e578d9a.exe File created C:\Windows\e578e17 e578d9a.exe File created C:\Windows\e593d4d d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578d9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 3716 e578d9a.exe 4600 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 4600 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe Token: SeDebugPrivilege 3716 e578d9a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 3716 4600 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 83 PID 4600 wrote to memory of 3716 4600 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 83 PID 4600 wrote to memory of 3716 4600 d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe 83 PID 3716 wrote to memory of 796 3716 e578d9a.exe 9 PID 3716 wrote to memory of 804 3716 e578d9a.exe 10 PID 3716 wrote to memory of 380 3716 e578d9a.exe 13 PID 3716 wrote to memory of 2652 3716 e578d9a.exe 44 PID 3716 wrote to memory of 2668 3716 e578d9a.exe 45 PID 3716 wrote to memory of 2984 3716 e578d9a.exe 52 PID 3716 wrote to memory of 3436 3716 e578d9a.exe 56 PID 3716 wrote to memory of 3564 3716 e578d9a.exe 57 PID 3716 wrote to memory of 3752 3716 e578d9a.exe 58 PID 3716 wrote to memory of 3848 3716 e578d9a.exe 59 PID 3716 wrote to memory of 3912 3716 e578d9a.exe 60 PID 3716 wrote to memory of 4020 3716 e578d9a.exe 61 PID 3716 wrote to memory of 4168 3716 e578d9a.exe 62 PID 3716 wrote to memory of 4784 3716 e578d9a.exe 75 PID 3716 wrote to memory of 664 3716 e578d9a.exe 76 PID 3716 wrote to memory of 1568 3716 e578d9a.exe 81 PID 3716 wrote to memory of 4600 3716 e578d9a.exe 82 PID 3716 wrote to memory of 4600 3716 e578d9a.exe 82 PID 3716 wrote to memory of 796 3716 e578d9a.exe 9 PID 3716 wrote to memory of 804 3716 e578d9a.exe 10 PID 3716 wrote to memory of 380 3716 e578d9a.exe 13 PID 3716 wrote to memory of 2652 3716 e578d9a.exe 44 PID 3716 wrote to memory of 2668 3716 e578d9a.exe 45 PID 3716 wrote to memory of 2984 3716 e578d9a.exe 52 PID 3716 wrote to memory of 3436 3716 e578d9a.exe 56 PID 3716 wrote to memory of 3564 3716 e578d9a.exe 57 PID 3716 wrote to memory of 3752 3716 e578d9a.exe 58 PID 3716 wrote to memory of 3848 3716 e578d9a.exe 59 PID 3716 wrote to memory of 3912 3716 e578d9a.exe 60 PID 3716 wrote to memory of 4020 3716 e578d9a.exe 61 PID 3716 wrote to memory of 4168 3716 e578d9a.exe 62 PID 3716 wrote to memory of 4784 3716 e578d9a.exe 75 PID 3716 wrote to memory of 664 3716 e578d9a.exe 76 PID 3716 wrote to memory of 796 3716 e578d9a.exe 9 PID 3716 wrote to memory of 804 3716 e578d9a.exe 10 PID 3716 wrote to memory of 380 3716 e578d9a.exe 13 PID 3716 wrote to memory of 2652 3716 e578d9a.exe 44 PID 3716 wrote to memory of 2668 3716 e578d9a.exe 45 PID 3716 wrote to memory of 2984 3716 e578d9a.exe 52 PID 3716 wrote to memory of 3436 3716 e578d9a.exe 56 PID 3716 wrote to memory of 3564 3716 e578d9a.exe 57 PID 3716 wrote to memory of 3752 3716 e578d9a.exe 58 PID 3716 wrote to memory of 3848 3716 e578d9a.exe 59 PID 3716 wrote to memory of 3912 3716 e578d9a.exe 60 PID 3716 wrote to memory of 4020 3716 e578d9a.exe 61 PID 3716 wrote to memory of 4168 3716 e578d9a.exe 62 PID 3716 wrote to memory of 4784 3716 e578d9a.exe 75 PID 3716 wrote to memory of 664 3716 e578d9a.exe 76 PID 3716 wrote to memory of 796 3716 e578d9a.exe 9 PID 3716 wrote to memory of 804 3716 e578d9a.exe 10 PID 3716 wrote to memory of 380 3716 e578d9a.exe 13 PID 3716 wrote to memory of 2652 3716 e578d9a.exe 44 PID 3716 wrote to memory of 2668 3716 e578d9a.exe 45 PID 3716 wrote to memory of 2984 3716 e578d9a.exe 52 PID 3716 wrote to memory of 3436 3716 e578d9a.exe 56 PID 3716 wrote to memory of 3564 3716 e578d9a.exe 57 PID 3716 wrote to memory of 3752 3716 e578d9a.exe 58 PID 3716 wrote to memory of 3848 3716 e578d9a.exe 59 PID 3716 wrote to memory of 3912 3716 e578d9a.exe 60 PID 3716 wrote to memory of 4020 3716 e578d9a.exe 61 PID 3716 wrote to memory of 4168 3716 e578d9a.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578d9a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2668
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2984
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d60139db2a6d23c965fbc6f844d58d44_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\e578d9a.exeC:\Users\Admin\AppData\Local\Temp\e578d9a.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3716
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4168
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:664
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1568
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD51fabe4293088e2930603ac859880d573
SHA167bff30212f0e32dc8d28568f4517721abeb7d33
SHA25655eb5ff4b55bcc6ef7b908279e8ed2e129a0b3d20b0d5d655bd91815a60f7dc3
SHA51285e2f9ee1c0663ad21d3111b66ff7743f4ba0a89d67076a84cc7856416a4b50a6262314864a67d7a0119f19b8dbd98c78880d46db275b8ebbe59d0de7dbe3503
-
Filesize
66KB
MD5bcf0c446568d477595073685e4d00ac9
SHA16c472d78657957f58814b10b491c4a8a0b2435ec
SHA2562b89c377e951919aaf8834702739430578f3073526e52234ffbcb7cbd294ed7e
SHA512f0b32beb9d55cdb4836aa9a5703d8fde5430482e6862804d712a45b3d1aef8648e470f87dd173eb36195fc6fb6a0dc3eb926d0697babda0d230cbb9a9cf34bcb
-
Filesize
296B
MD5ae795a5614e1e7098f34b4accd0084c7
SHA1649c62201195b68ac2813ee269aabe1b4e33af62
SHA2566ec7af8ef61ec7b334237a8b122d49fb869ebcb50a073b6835f7d0ee48e697cc
SHA512c5be5595d0c6be52d50f80d25ec5bc13f9104ca0580d0e3beb34fb0d3bdc663012f20099a198d4b7f057b91326c830cbaf870a9fc9a3ae5e107ac5591014defc
-
Filesize
97KB
MD5ffbf199598aca45d0da7afb1912d0c7b
SHA1eb2bf75c6260bd84dd127efa6c772b3057d8d49f
SHA2566a9ca77331300ff03c2e7cd88981f520591fe675f9639fc1425c5d30ec389460
SHA512d9afafafe1d6c5351c88a49a08752c0f804ea8fcec4fa0df18ffdcdc9d050dd4cfee0e433dc0db110f8caab76a549b843f2d48896a02c68031a6b1024a721e7c