Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe
-
Size
128KB
-
MD5
e5838b0cecaf292e80a9ba05fe32c141
-
SHA1
1f8f964f010ab0e79011801400a36ac8736f3379
-
SHA256
917fcc16c233473f5f4dbc830e8aa77d657640b6b1e66907e14c47279f1109b1
-
SHA512
3abeb1079b2de74e955d8ce5e508c458e6c58646ed6a1b6324a383da6a3d5d24a5c01dd9a7e22ee92e895bd29812cc749fd8cfdda008be314eda334794fc929b
-
SSDEEP
1536:G9/7fyxIyMLC6VBw3O74JFw8jV+HtTS2r+sqP64sip0Sl1XULcSEWnT8VbSx:c7fasVBw64JFwQuSQkPmSl1QcS1QVo
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4040 winlogon.exe -
Executes dropped EXE 1 IoCs
pid Process 4040 winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA Media Center Library = "C:\\Users\\Admin\\Admin1\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA Media Center Library = "C:\\Users\\Admin\\Admin1\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\J: winlogon.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum winlogon.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 winlogon.exe -
resource yara_rule behavioral2/memory/1164-1-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-3-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-4-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-6-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-10-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-9-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-15-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-17-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-16-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/1164-38-0x0000000002AB0000-0x0000000003B3E000-memory.dmp upx behavioral2/memory/4040-54-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-52-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-45-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-47-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-51-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-53-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-59-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-58-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-57-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-61-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-60-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-62-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-63-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-64-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-66-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-67-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-68-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-69-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-72-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-74-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-75-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-78-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-81-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-82-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-83-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-85-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-87-0x0000000003930000-0x00000000049BE000-memory.dmp upx behavioral2/memory/4040-89-0x0000000003930000-0x00000000049BE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe 4040 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Token: SeDebugPrivilege 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 4040 winlogon.exe 4040 winlogon.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1164 wrote to memory of 784 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 8 PID 1164 wrote to memory of 792 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 9 PID 1164 wrote to memory of 380 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 13 PID 1164 wrote to memory of 2768 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 49 PID 1164 wrote to memory of 2824 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 50 PID 1164 wrote to memory of 2972 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 51 PID 1164 wrote to memory of 3472 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 56 PID 1164 wrote to memory of 3592 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 57 PID 1164 wrote to memory of 3764 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 58 PID 1164 wrote to memory of 3852 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 59 PID 1164 wrote to memory of 3920 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 60 PID 1164 wrote to memory of 4004 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 61 PID 1164 wrote to memory of 4124 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 62 PID 1164 wrote to memory of 4392 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 64 PID 1164 wrote to memory of 3132 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 75 PID 1164 wrote to memory of 4040 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 82 PID 1164 wrote to memory of 4040 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 82 PID 1164 wrote to memory of 4040 1164 e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe 82 PID 4040 wrote to memory of 784 4040 winlogon.exe 8 PID 4040 wrote to memory of 792 4040 winlogon.exe 9 PID 4040 wrote to memory of 380 4040 winlogon.exe 13 PID 4040 wrote to memory of 2768 4040 winlogon.exe 49 PID 4040 wrote to memory of 2824 4040 winlogon.exe 50 PID 4040 wrote to memory of 2972 4040 winlogon.exe 51 PID 4040 wrote to memory of 3472 4040 winlogon.exe 56 PID 4040 wrote to memory of 3592 4040 winlogon.exe 57 PID 4040 wrote to memory of 3764 4040 winlogon.exe 58 PID 4040 wrote to memory of 3852 4040 winlogon.exe 59 PID 4040 wrote to memory of 3920 4040 winlogon.exe 60 PID 4040 wrote to memory of 4004 4040 winlogon.exe 61 PID 4040 wrote to memory of 4124 4040 winlogon.exe 62 PID 4040 wrote to memory of 4392 4040 winlogon.exe 64 PID 4040 wrote to memory of 3132 4040 winlogon.exe 75 PID 4040 wrote to memory of 784 4040 winlogon.exe 8 PID 4040 wrote to memory of 792 4040 winlogon.exe 9 PID 4040 wrote to memory of 380 4040 winlogon.exe 13 PID 4040 wrote to memory of 2768 4040 winlogon.exe 49 PID 4040 wrote to memory of 2824 4040 winlogon.exe 50 PID 4040 wrote to memory of 2972 4040 winlogon.exe 51 PID 4040 wrote to memory of 3472 4040 winlogon.exe 56 PID 4040 wrote to memory of 3592 4040 winlogon.exe 57 PID 4040 wrote to memory of 3764 4040 winlogon.exe 58 PID 4040 wrote to memory of 3852 4040 winlogon.exe 59 PID 4040 wrote to memory of 3920 4040 winlogon.exe 60 PID 4040 wrote to memory of 4004 4040 winlogon.exe 61 PID 4040 wrote to memory of 4124 4040 winlogon.exe 62 PID 4040 wrote to memory of 4392 4040 winlogon.exe 64 PID 4040 wrote to memory of 3132 4040 winlogon.exe 75 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2824
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5838b0cecaf292e80a9ba05fe32c141_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1164 -
C:\Users\Admin\Admin1\winlogon.exe"C:\Users\Admin\Admin1\winlogon.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4040
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4392
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3132
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5e5838b0cecaf292e80a9ba05fe32c141
SHA11f8f964f010ab0e79011801400a36ac8736f3379
SHA256917fcc16c233473f5f4dbc830e8aa77d657640b6b1e66907e14c47279f1109b1
SHA5123abeb1079b2de74e955d8ce5e508c458e6c58646ed6a1b6324a383da6a3d5d24a5c01dd9a7e22ee92e895bd29812cc749fd8cfdda008be314eda334794fc929b
-
Filesize
257B
MD595ae166a1d47986f16a5897832008b30
SHA1d01400db1f52f4b12daa0b403a4baf8279ebe3d6
SHA256c2c26804cf858b4a64e9d90bcaba1bc4fa17038641f636e86fb1e1549f404dcc
SHA512cdaf2eed72e98a90beb153f8665d43f2df10bb05064f6ece9e6959772f4fadebe8b9418c78ba8987ab4e96b84915c633b3dde527fea5e7bb3e7992a6a4638103
-
Filesize
96KB
MD5bdc581d18de6804a2d41b0f49dfc45f7
SHA14fe0f4831a0643e0c9546ae6327f199545032a02
SHA256438f0e2d40cc779a725f679d4cf7cd51db68d490a0791e29f09932068ff91f3b
SHA512893aa0873c1699479e2248443c74c34868583244e168f49a139d6abc6560ba071cffa6075fa643eae9926f2a8d2223c1019e64145137f1cabcbb82d8626ae246