Analysis
-
max time kernel
35s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 11:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
24 signatures
150 seconds
General
-
Target
eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe
-
Size
376KB
-
MD5
eb34748365c13012b9ac9cc72f7239a9
-
SHA1
2b3950148a078a0973493f149eaaf43cc99dba52
-
SHA256
eb521d50384f45b31ad8fd002b48429febdee7c02866ab752631f27b42b0721e
-
SHA512
bffe9c7dc112645f9ab698ebd67364614b5f2206bb7092ab657e2966c784fefbc680d9e62f9a61b6480005e954694645da3f2ddf66c44c3630a8b41f6b85309e
-
SSDEEP
3072:AmKxZkvuz8WClBs3zTiFGns5X7z4hJgKVES3Esv:A9kDlyjTiysJEJTCS
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Qyyy jnsateb.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Qyyy jnsateb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Qyyy jnsateb.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Qyyy jnsateb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Qyyy jnsateb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1664 Qyyy jnsateb.exe -
Executes dropped EXE 1 IoCs
pid Process 1664 Qyyy jnsateb.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:" Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:" Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder" Qyyy jnsateb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Qyyy jnsateb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Qyyy jnsateb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\013225823.exe" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Qyyy jnsateb.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\013225823.exe" Qyyy jnsateb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Qyyy jnsateb.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Qyyy jnsateb.exe File opened (read-only) \??\G: Qyyy jnsateb.exe File opened (read-only) \??\H: Qyyy jnsateb.exe File opened (read-only) \??\I: Qyyy jnsateb.exe File opened (read-only) \??\J: Qyyy jnsateb.exe -
resource yara_rule behavioral2/memory/212-5-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-16-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-20-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-21-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-7-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-6-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-3-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-4-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-23-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-46-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-126-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/212-120-0x0000000002CB0000-0x0000000003D3E000-memory.dmp upx behavioral2/memory/1664-154-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-148-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-153-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-158-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-156-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-152-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-157-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-147-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-149-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-145-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-160-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-161-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-162-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-163-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-164-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-166-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-167-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-168-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-169-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-170-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-171-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-175-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-177-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-180-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-181-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-182-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-183-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-189-0x0000000003810000-0x000000000489E000-memory.dmp upx behavioral2/memory/1664-191-0x0000000003810000-0x000000000489E000-memory.dmp upx -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe File created C:\Windows\Qyyy jnsateb.exe eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe File opened for modification C:\Windows\Qyyy jnsateb.exe eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe File created C:\Windows\013225823.exe eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe File opened for modification C:\Windows\013225823.exe eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe File opened for modification C:\Windows\Qyyy jnsateb.exe Qyyy jnsateb.exe File opened for modification C:\Windows\013225823.exe Qyyy jnsateb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qyyy jnsateb.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:" Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\TileInfo = "prop:" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "\u00a0File Folder" Qyyy jnsateb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "prop:" Qyyy jnsateb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 1664 Qyyy jnsateb.exe 1664 Qyyy jnsateb.exe 1664 Qyyy jnsateb.exe 1664 Qyyy jnsateb.exe 1664 Qyyy jnsateb.exe 1664 Qyyy jnsateb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Token: SeDebugPrivilege 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 1664 Qyyy jnsateb.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 212 wrote to memory of 776 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 8 PID 212 wrote to memory of 780 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 9 PID 212 wrote to memory of 60 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 13 PID 212 wrote to memory of 2528 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 44 PID 212 wrote to memory of 2580 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 45 PID 212 wrote to memory of 2756 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 50 PID 212 wrote to memory of 3520 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 56 PID 212 wrote to memory of 3672 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 57 PID 212 wrote to memory of 3868 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 58 PID 212 wrote to memory of 3956 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 59 PID 212 wrote to memory of 4020 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 60 PID 212 wrote to memory of 408 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 61 PID 212 wrote to memory of 4128 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 62 PID 212 wrote to memory of 3796 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 74 PID 212 wrote to memory of 3732 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 76 PID 212 wrote to memory of 1664 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 83 PID 212 wrote to memory of 1664 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 83 PID 212 wrote to memory of 1664 212 eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe 83 PID 1664 wrote to memory of 776 1664 Qyyy jnsateb.exe 8 PID 1664 wrote to memory of 780 1664 Qyyy jnsateb.exe 9 PID 1664 wrote to memory of 60 1664 Qyyy jnsateb.exe 13 PID 1664 wrote to memory of 2528 1664 Qyyy jnsateb.exe 44 PID 1664 wrote to memory of 2580 1664 Qyyy jnsateb.exe 45 PID 1664 wrote to memory of 2756 1664 Qyyy jnsateb.exe 50 PID 1664 wrote to memory of 3520 1664 Qyyy jnsateb.exe 56 PID 1664 wrote to memory of 3672 1664 Qyyy jnsateb.exe 57 PID 1664 wrote to memory of 3868 1664 Qyyy jnsateb.exe 58 PID 1664 wrote to memory of 3956 1664 Qyyy jnsateb.exe 59 PID 1664 wrote to memory of 4020 1664 Qyyy jnsateb.exe 60 PID 1664 wrote to memory of 408 1664 Qyyy jnsateb.exe 61 PID 1664 wrote to memory of 4128 1664 Qyyy jnsateb.exe 62 PID 1664 wrote to memory of 3796 1664 Qyyy jnsateb.exe 74 PID 1664 wrote to memory of 3732 1664 Qyyy jnsateb.exe 76 PID 1664 wrote to memory of 776 1664 Qyyy jnsateb.exe 8 PID 1664 wrote to memory of 780 1664 Qyyy jnsateb.exe 9 PID 1664 wrote to memory of 60 1664 Qyyy jnsateb.exe 13 PID 1664 wrote to memory of 2528 1664 Qyyy jnsateb.exe 44 PID 1664 wrote to memory of 2580 1664 Qyyy jnsateb.exe 45 PID 1664 wrote to memory of 2756 1664 Qyyy jnsateb.exe 50 PID 1664 wrote to memory of 3520 1664 Qyyy jnsateb.exe 56 PID 1664 wrote to memory of 3672 1664 Qyyy jnsateb.exe 57 PID 1664 wrote to memory of 3868 1664 Qyyy jnsateb.exe 58 PID 1664 wrote to memory of 3956 1664 Qyyy jnsateb.exe 59 PID 1664 wrote to memory of 4020 1664 Qyyy jnsateb.exe 60 PID 1664 wrote to memory of 408 1664 Qyyy jnsateb.exe 61 PID 1664 wrote to memory of 4128 1664 Qyyy jnsateb.exe 62 PID 1664 wrote to memory of 3796 1664 Qyyy jnsateb.exe 74 PID 1664 wrote to memory of 3732 1664 Qyyy jnsateb.exe 76 PID 1664 wrote to memory of 776 1664 Qyyy jnsateb.exe 8 PID 1664 wrote to memory of 780 1664 Qyyy jnsateb.exe 9 PID 1664 wrote to memory of 60 1664 Qyyy jnsateb.exe 13 PID 1664 wrote to memory of 2528 1664 Qyyy jnsateb.exe 44 PID 1664 wrote to memory of 2580 1664 Qyyy jnsateb.exe 45 PID 1664 wrote to memory of 2756 1664 Qyyy jnsateb.exe 50 PID 1664 wrote to memory of 3520 1664 Qyyy jnsateb.exe 56 PID 1664 wrote to memory of 3672 1664 Qyyy jnsateb.exe 57 PID 1664 wrote to memory of 3868 1664 Qyyy jnsateb.exe 58 PID 1664 wrote to memory of 3956 1664 Qyyy jnsateb.exe 59 PID 1664 wrote to memory of 4020 1664 Qyyy jnsateb.exe 60 PID 1664 wrote to memory of 408 1664 Qyyy jnsateb.exe 61 PID 1664 wrote to memory of 4128 1664 Qyyy jnsateb.exe 62 PID 1664 wrote to memory of 3796 1664 Qyyy jnsateb.exe 74 PID 1664 wrote to memory of 3732 1664 Qyyy jnsateb.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Qyyy jnsateb.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2580
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2756
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb34748365c13012b9ac9cc72f7239a9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:212 -
C:\Windows\Qyyy jnsateb.exe"C:\Windows\Qyyy jnsateb.exe"3⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3672
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3732
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD506623f378b7b0a67829b177be22b2885
SHA120260bf598ee2409c80706c02995f5e58529e4bc
SHA256d3084e7903d5a0a1696d3969f35c737278adb96b69f21ed31d3f658cb2fc0467
SHA512f3b49d2a14b0c4b03a1fc76f32fdec544b9e798b8b2c418c5dcf17580cf37c7194864a97fee8f5ae7199f8f10e3a6d9105236a162693c08e2c07b2dfc04d1932
-
Filesize
376KB
MD5eb34748365c13012b9ac9cc72f7239a9
SHA12b3950148a078a0973493f149eaaf43cc99dba52
SHA256eb521d50384f45b31ad8fd002b48429febdee7c02866ab752631f27b42b0721e
SHA512bffe9c7dc112645f9ab698ebd67364614b5f2206bb7092ab657e2966c784fefbc680d9e62f9a61b6480005e954694645da3f2ddf66c44c3630a8b41f6b85309e