Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 05:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe
-
Size
100KB
-
MD5
ea08c8aa6b05987a80f590b1cca8bfb1
-
SHA1
56d7cb3bb835fe3d4e7c0bd2667fcd50601410e3
-
SHA256
e9f2ce75d14f87e9fea74bc1d76628b6b9ed15a0c846f97712a3577966335a70
-
SHA512
8c96c61adab4ff90114900edb4d5594028955feed06c015155a7cdb0b85840dbe431e0939070137340ae1623cbf702368868a4e1cc562472ec559723f5f20c48
-
SSDEEP
1536:IbH1Po8/gtPAVzmwH0I2DDwbzfjdNDW84/qApIhyKQtoLavnJJw2OCF02pAgI7w:i+8/gtsmwx2ixNW3z3hxO002pAgI
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\K: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\M: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\N: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\U: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\W: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\Y: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\E: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\G: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\O: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\P: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\T: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\V: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\X: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\Z: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\H: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\J: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\Q: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\R: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\S: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened (read-only) \??\L: ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification F:\autorun.inf ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1996-8-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-6-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-4-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-3-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-5-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-7-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-12-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-11-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-15-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-16-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-17-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-18-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-19-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-20-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-22-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-23-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-24-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-25-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-27-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-30-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-32-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-34-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-36-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-38-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-39-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-40-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-49-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-50-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-53-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-55-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-56-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-57-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-59-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-61-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-62-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-64-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-65-0x00000000022E0000-0x000000000336E000-memory.dmp upx behavioral2/memory/1996-68-0x00000000022E0000-0x000000000336E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe Token: SeDebugPrivilege 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 776 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 8 PID 1996 wrote to memory of 784 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 9 PID 1996 wrote to memory of 1020 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 13 PID 1996 wrote to memory of 2836 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 49 PID 1996 wrote to memory of 2892 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 50 PID 1996 wrote to memory of 2972 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 51 PID 1996 wrote to memory of 3420 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 56 PID 1996 wrote to memory of 3576 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 57 PID 1996 wrote to memory of 3756 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 58 PID 1996 wrote to memory of 3844 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 59 PID 1996 wrote to memory of 3912 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 60 PID 1996 wrote to memory of 3996 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 61 PID 1996 wrote to memory of 4132 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 62 PID 1996 wrote to memory of 2708 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 75 PID 1996 wrote to memory of 4032 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 76 PID 1996 wrote to memory of 3108 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 81 PID 1996 wrote to memory of 776 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 8 PID 1996 wrote to memory of 784 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 9 PID 1996 wrote to memory of 1020 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 13 PID 1996 wrote to memory of 2836 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 49 PID 1996 wrote to memory of 2892 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 50 PID 1996 wrote to memory of 2972 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 51 PID 1996 wrote to memory of 3420 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 56 PID 1996 wrote to memory of 3576 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 57 PID 1996 wrote to memory of 3756 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 58 PID 1996 wrote to memory of 3844 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 59 PID 1996 wrote to memory of 3912 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 60 PID 1996 wrote to memory of 3996 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 61 PID 1996 wrote to memory of 4132 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 62 PID 1996 wrote to memory of 2708 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 75 PID 1996 wrote to memory of 4032 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 76 PID 1996 wrote to memory of 3108 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 81 PID 1996 wrote to memory of 776 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 8 PID 1996 wrote to memory of 784 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 9 PID 1996 wrote to memory of 1020 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 13 PID 1996 wrote to memory of 2836 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 49 PID 1996 wrote to memory of 2892 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 50 PID 1996 wrote to memory of 2972 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 51 PID 1996 wrote to memory of 3420 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 56 PID 1996 wrote to memory of 3576 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 57 PID 1996 wrote to memory of 3756 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 58 PID 1996 wrote to memory of 3844 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 59 PID 1996 wrote to memory of 3912 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 60 PID 1996 wrote to memory of 3996 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 61 PID 1996 wrote to memory of 4132 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 62 PID 1996 wrote to memory of 2708 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 75 PID 1996 wrote to memory of 4032 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 76 PID 1996 wrote to memory of 776 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 8 PID 1996 wrote to memory of 784 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 9 PID 1996 wrote to memory of 1020 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 13 PID 1996 wrote to memory of 2836 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 49 PID 1996 wrote to memory of 2892 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 50 PID 1996 wrote to memory of 2972 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 51 PID 1996 wrote to memory of 3420 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 56 PID 1996 wrote to memory of 3576 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 57 PID 1996 wrote to memory of 3756 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 58 PID 1996 wrote to memory of 3844 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 59 PID 1996 wrote to memory of 3912 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 60 PID 1996 wrote to memory of 3996 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 61 PID 1996 wrote to memory of 4132 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 62 PID 1996 wrote to memory of 2708 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 75 PID 1996 wrote to memory of 4032 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 76 PID 1996 wrote to memory of 776 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 8 PID 1996 wrote to memory of 784 1996 ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe 9 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2892
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2972
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3420
-
C:\Users\Admin\AppData\Local\Temp\ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea08c8aa6b05987a80f590b1cca8bfb1_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2708
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4032
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5f1070f28b006064c0f196c39745eea6b
SHA145bb077b085652ddaca051e68e47735e6e5be34c
SHA256cde0194f5b500036ca3fc7968ae73aaa442ce58e764c25eb4aa7d4dda2d437e4
SHA512893ab2259bc1d51f28513efc132750a35fe2ae93de81a1d48b45f99e59b83c61a00d9e38e288b1ddef4383cd5d34ef9abcddeb3359df1c2ca27362b923c8ecfc