Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 21:59
Static task
static1
Behavioral task
behavioral1
Sample
dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe
-
Size
100KB
-
MD5
dbbcddb37c336ad6d0a6f69ed996335e
-
SHA1
bc8a385b3d1ca5535a5fa444924110cb81fe69c1
-
SHA256
c0c099d168916216ed5172accdf4ce7bec4fe31f6f1e02ee9b2b6a5dd5981d69
-
SHA512
f62ee4f14ead529152adaab9e41e40202ae86a411182eb6f7c1da02cf305f90405702322a93da813641fe7d594dfe4183f487b1ab4e0e137d179dc061149d142
-
SSDEEP
1536:ac0qhI8m3LlrIGvLQwg0QJOFDWpUuN2RA+REBQeSNVup7qsqHossq:b1hI8EB3XCJOF6pUumA+0grm7qszXq
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\Y: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\G: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\K: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\O: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\P: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\T: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\J: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\M: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\V: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\W: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\R: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\U: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\E: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\I: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\L: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\N: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\Q: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\H: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\S: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened (read-only) \??\Z: dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\autorun.inf dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4736-5-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-9-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-10-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-12-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-14-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-6-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-3-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-4-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-13-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-17-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-16-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-18-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-19-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-20-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-22-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-23-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-24-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-26-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-28-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-30-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-32-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-34-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-38-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-39-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-40-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-41-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-48-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-50-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-53-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-54-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-55-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-58-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-60-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-62-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-65-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-66-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-68-0x0000000002180000-0x000000000320E000-memory.dmp upx behavioral2/memory/4736-70-0x0000000002180000-0x000000000320E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe Token: SeDebugPrivilege 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4736 wrote to memory of 800 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 9 PID 4736 wrote to memory of 808 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 10 PID 4736 wrote to memory of 380 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 13 PID 4736 wrote to memory of 3008 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 51 PID 4736 wrote to memory of 2268 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 52 PID 4736 wrote to memory of 1068 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 53 PID 4736 wrote to memory of 3444 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 56 PID 4736 wrote to memory of 3560 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 57 PID 4736 wrote to memory of 3756 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 58 PID 4736 wrote to memory of 3844 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 59 PID 4736 wrote to memory of 3908 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 60 PID 4736 wrote to memory of 3984 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 61 PID 4736 wrote to memory of 3548 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 62 PID 4736 wrote to memory of 4184 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 74 PID 4736 wrote to memory of 4892 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 76 PID 4736 wrote to memory of 2888 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 81 PID 4736 wrote to memory of 800 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 9 PID 4736 wrote to memory of 808 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 10 PID 4736 wrote to memory of 380 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 13 PID 4736 wrote to memory of 3008 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 51 PID 4736 wrote to memory of 2268 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 52 PID 4736 wrote to memory of 1068 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 53 PID 4736 wrote to memory of 3444 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 56 PID 4736 wrote to memory of 3560 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 57 PID 4736 wrote to memory of 3756 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 58 PID 4736 wrote to memory of 3844 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 59 PID 4736 wrote to memory of 3908 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 60 PID 4736 wrote to memory of 3984 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 61 PID 4736 wrote to memory of 3548 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 62 PID 4736 wrote to memory of 4184 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 74 PID 4736 wrote to memory of 4892 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 76 PID 4736 wrote to memory of 2888 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 81 PID 4736 wrote to memory of 800 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 9 PID 4736 wrote to memory of 808 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 10 PID 4736 wrote to memory of 380 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 13 PID 4736 wrote to memory of 3008 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 51 PID 4736 wrote to memory of 2268 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 52 PID 4736 wrote to memory of 1068 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 53 PID 4736 wrote to memory of 3444 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 56 PID 4736 wrote to memory of 3560 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 57 PID 4736 wrote to memory of 3756 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 58 PID 4736 wrote to memory of 3844 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 59 PID 4736 wrote to memory of 3908 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 60 PID 4736 wrote to memory of 3984 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 61 PID 4736 wrote to memory of 3548 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 62 PID 4736 wrote to memory of 4184 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 74 PID 4736 wrote to memory of 4892 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 76 PID 4736 wrote to memory of 800 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 9 PID 4736 wrote to memory of 808 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 10 PID 4736 wrote to memory of 380 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 13 PID 4736 wrote to memory of 3008 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 51 PID 4736 wrote to memory of 2268 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 52 PID 4736 wrote to memory of 1068 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 53 PID 4736 wrote to memory of 3444 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 56 PID 4736 wrote to memory of 3560 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 57 PID 4736 wrote to memory of 3756 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 58 PID 4736 wrote to memory of 3844 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 59 PID 4736 wrote to memory of 3908 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 60 PID 4736 wrote to memory of 3984 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 61 PID 4736 wrote to memory of 3548 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 62 PID 4736 wrote to memory of 4184 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 74 PID 4736 wrote to memory of 4892 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 76 PID 4736 wrote to memory of 800 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 9 PID 4736 wrote to memory of 808 4736 dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe 10 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2268
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dbbcddb37c336ad6d0a6f69ed996335e_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3548
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4184
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4892
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2888
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5e8c56082949ea7ff204ba30f07df2c55
SHA1e269378e21070379aa15c9097f16fee90015dc0c
SHA25690cb97f28c37c198ed7e3ee88100fa30d140061a467ba6042cf314add39de5ae
SHA51230e3cd8e5ea4bf188c9e275c0ac5e2b5a15043cc149a7c17c2059f93e07ad5de40f9dbd12d406615b23ceefc750ee3d722952c2f2f691c480a8257ce7eb15d71