Analysis
-
max time kernel
27s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe
-
Size
232KB
-
MD5
e05e396f6d95094185e91ee6141e66a9
-
SHA1
0ada554f270baffca0f365533a456a31f3d8e667
-
SHA256
88df095a28ea561bc2a8f6e96b8c58ce4496ba4562c54c3e32c93ab4081d85f7
-
SHA512
8963f746717fe0d62458095c2325522271c1e82585e1ae4f61710ca712aaa35417be6dc4e30b8b39a73f11ecad0d024923ccff1639d16af246b229061c086710
-
SSDEEP
3072:FagmvJfdXVCAX73xRRdr9evN0QfEs8qGu2wFEb:FfCdlF73xfdQvN932eS
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" smss.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" inetinfo.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1380 netsh.exe 1328 netsh.exe -
Deletes itself 1 IoCs
pid Process 4588 winlogon.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif smss.exe -
Executes dropped EXE 5 IoCs
pid Process 2908 smss.exe 4588 winlogon.exe 3996 services.exe 4596 lsass.exe 3260 inetinfo.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" inetinfo.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" inetinfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" smss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\3D Animation.scr smss.exe File opened for modification C:\Windows\SysWOW64\3D Animation.scr smss.exe -
resource yara_rule behavioral2/memory/1928-3-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-13-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-6-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-1-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-34-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-39-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-148-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-149-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-155-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx behavioral2/memory/1928-166-0x0000000002CF0000-0x0000000003D23000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe winlogon.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe File created C:\Windows\INF\norBtok.exe e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe File opened for modification C:\Windows\INF\norBtok.exe e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe File opened for modification C:\Windows\INF\norBtok.exe smss.exe File opened for modification C:\Windows\INF\norBtok.exe winlogon.exe File opened for modification C:\Windows\INF\norBtok.exe services.exe File opened for modification C:\Windows\INF\norBtok.exe lsass.exe File opened for modification C:\Windows\INF\norBtok.exe inetinfo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inetinfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 4588 winlogon.exe 4588 winlogon.exe 4588 winlogon.exe 4588 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Token: SeDebugPrivilege 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 2908 smss.exe 4588 winlogon.exe 3996 services.exe 4596 lsass.exe 3260 inetinfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1380 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 83 PID 1928 wrote to memory of 1380 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 83 PID 1928 wrote to memory of 1380 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 83 PID 1928 wrote to memory of 776 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 8 PID 1928 wrote to memory of 780 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 9 PID 1928 wrote to memory of 388 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 13 PID 1928 wrote to memory of 2892 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 50 PID 1928 wrote to memory of 2952 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 51 PID 1928 wrote to memory of 3104 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 53 PID 1928 wrote to memory of 3548 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 55 PID 1928 wrote to memory of 3728 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 57 PID 1928 wrote to memory of 3908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 58 PID 1928 wrote to memory of 4004 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 59 PID 1928 wrote to memory of 4072 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 60 PID 1928 wrote to memory of 2796 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 61 PID 1928 wrote to memory of 4104 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 62 PID 1928 wrote to memory of 1596 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 75 PID 1928 wrote to memory of 3704 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 76 PID 1928 wrote to memory of 4540 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 81 PID 1928 wrote to memory of 1380 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 83 PID 1928 wrote to memory of 1380 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 83 PID 1928 wrote to memory of 4000 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 84 PID 1928 wrote to memory of 1052 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 85 PID 1928 wrote to memory of 1052 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 85 PID 1928 wrote to memory of 1052 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 85 PID 1928 wrote to memory of 2908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 87 PID 1928 wrote to memory of 2908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 87 PID 1928 wrote to memory of 2908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 87 PID 2908 wrote to memory of 4588 2908 smss.exe 89 PID 2908 wrote to memory of 4588 2908 smss.exe 89 PID 2908 wrote to memory of 4588 2908 smss.exe 89 PID 2908 wrote to memory of 3052 2908 smss.exe 90 PID 2908 wrote to memory of 3052 2908 smss.exe 90 PID 2908 wrote to memory of 3052 2908 smss.exe 90 PID 2908 wrote to memory of 1684 2908 smss.exe 92 PID 2908 wrote to memory of 1684 2908 smss.exe 92 PID 2908 wrote to memory of 1684 2908 smss.exe 92 PID 2908 wrote to memory of 3996 2908 smss.exe 94 PID 2908 wrote to memory of 3996 2908 smss.exe 94 PID 2908 wrote to memory of 3996 2908 smss.exe 94 PID 2908 wrote to memory of 4596 2908 smss.exe 95 PID 2908 wrote to memory of 4596 2908 smss.exe 95 PID 2908 wrote to memory of 4596 2908 smss.exe 95 PID 1928 wrote to memory of 776 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 8 PID 1928 wrote to memory of 780 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 9 PID 1928 wrote to memory of 388 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 13 PID 1928 wrote to memory of 2892 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 50 PID 1928 wrote to memory of 2952 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 51 PID 1928 wrote to memory of 3104 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 53 PID 1928 wrote to memory of 3548 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 55 PID 1928 wrote to memory of 3728 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 57 PID 1928 wrote to memory of 3908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 58 PID 1928 wrote to memory of 4004 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 59 PID 1928 wrote to memory of 4072 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 60 PID 1928 wrote to memory of 2796 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 61 PID 1928 wrote to memory of 4104 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 62 PID 1928 wrote to memory of 1596 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 75 PID 1928 wrote to memory of 3704 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 76 PID 1928 wrote to memory of 2908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 87 PID 1928 wrote to memory of 2908 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 87 PID 1928 wrote to memory of 4588 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 89 PID 1928 wrote to memory of 4588 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 89 PID 1928 wrote to memory of 3996 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 94 PID 1928 wrote to memory of 3996 1928 e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe 94 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2952
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e05e396f6d95094185e91ee6141e66a9_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4000
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1052
-
-
C:\Users\Admin\AppData\Local\smss.exeC:\Users\Admin\AppData\Local\smss.exe3⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe4⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4588 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1204
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"5⤵PID:2908
-
-
-
C:\Windows\SysWOW64\at.exeat /delete /y4⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Windows\SysWOW64\at.exeat 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\A.kotnorB.com"4⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Users\Admin\AppData\Local\services.exeC:\Users\Admin\AppData\Local\services.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Users\Admin\AppData\Local\lsass.exeC:\Users\Admin\AppData\Local\lsass.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4596
-
-
C:\Users\Admin\AppData\Local\inetinfo.exeC:\Users\Admin\AppData\Local\inetinfo.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3260
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3728
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1596
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3704
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3784
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1696
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:3956
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4268
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2516
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:3388
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38da055 /state1:0x41c64e6d1⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190KB
MD5cc51c6f7ff7fa39f238b3955d7cf306c
SHA196f88e281d821ffcd5246b3b7f5437cc8c44a184
SHA2566637b3c50d6af3fd5921f0fe71b576dbfad04091ca3a6ec7ddc73ffbf09609ef
SHA512182908dbe50a5ebe1150b0f9df4be732af9bfaefd65e9fad2571cce7c1c32a090b27a02e2bed3b89188ce759a19d452442ab42b720b8b82fad9307edb27f5598
-
Filesize
232KB
MD5e05e396f6d95094185e91ee6141e66a9
SHA10ada554f270baffca0f365533a456a31f3d8e667
SHA25688df095a28ea561bc2a8f6e96b8c58ce4496ba4562c54c3e32c93ab4081d85f7
SHA5128963f746717fe0d62458095c2325522271c1e82585e1ae4f61710ca712aaa35417be6dc4e30b8b39a73f11ecad0d024923ccff1639d16af246b229061c086710
-
Filesize
258B
MD58222d4893b4994954c89b803b5e4d749
SHA19bf3eea18c2378c59c0930aab883ee5e2df79070
SHA2567940ab2c0c6b1ede111c34120673b0ffbb7edc0643094657c1cb3ea755093bee
SHA512d669df6b79e37d08e2dd37a4d6223c898558680658ee281689c31159d5bc67ed5145f584e1996a8f8b2e298bc37915dd94a7fcd51057bcf0d66fcadce809237c