Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 14:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
19 signatures
150 seconds
General
-
Target
ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe
-
Size
148KB
-
MD5
ebee0485e7675aafab5adda9616b9157
-
SHA1
a02fcfd4d65afbe6c3c362ca486fe9fcf35039ca
-
SHA256
d7ff43cc3b5824b229de667f61962d8aaf79066a0a05924753ea7fb5ebb721ef
-
SHA512
133ad3a105e6f55c14074bf8172c269c05a052f9fbfb1981cb550babe5078e0571b0ce5843521eef4523230fe3948888ff5ee87de1cada82f200f5a110fdf0bf
-
SSDEEP
3072:6j9wN336MdMfLirVQW0/nyypsTeS4CHyjQ/6PTY7dJ2YHSg3:BqqULirVT01GrHaQ/6WdJJH7
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\Users\Admin\Music\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\Users\Public\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\Users\Public\Music\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\Users\Public\Videos\desktop.ini ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\B: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\G: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\H: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\N: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\P: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\R: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\T: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\O: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\Q: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\V: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\Y: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\J: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\K: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\U: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\X: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\A: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\E: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\I: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\L: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\M: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\S: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened (read-only) \??\W: ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification F:\autorun.inf ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4488-5-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-1-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-7-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-6-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-3-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-4-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-8-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-13-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-16-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-17-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-29-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-30-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-31-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-45-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-44-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-49-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-50-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-51-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-53-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-55-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-57-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-60-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-61-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-63-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-67-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-68-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-76-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-78-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-79-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-81-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-83-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-86-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-88-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-90-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-95-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-100-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4488-102-0x0000000002440000-0x00000000034CE000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe Token: SeDebugPrivilege 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4488 wrote to memory of 780 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 8 PID 4488 wrote to memory of 788 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 9 PID 4488 wrote to memory of 1016 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 13 PID 4488 wrote to memory of 2552 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 44 PID 4488 wrote to memory of 2564 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 45 PID 4488 wrote to memory of 2740 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 48 PID 4488 wrote to memory of 3560 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 56 PID 4488 wrote to memory of 3696 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 57 PID 4488 wrote to memory of 3872 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 58 PID 4488 wrote to memory of 3972 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 59 PID 4488 wrote to memory of 4048 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 60 PID 4488 wrote to memory of 668 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 61 PID 4488 wrote to memory of 3620 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 62 PID 4488 wrote to memory of 4644 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 64 PID 4488 wrote to memory of 2816 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 76 PID 4488 wrote to memory of 780 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 8 PID 4488 wrote to memory of 788 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 9 PID 4488 wrote to memory of 1016 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 13 PID 4488 wrote to memory of 2552 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 44 PID 4488 wrote to memory of 2564 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 45 PID 4488 wrote to memory of 2740 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 48 PID 4488 wrote to memory of 3560 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 56 PID 4488 wrote to memory of 3696 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 57 PID 4488 wrote to memory of 3872 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 58 PID 4488 wrote to memory of 3972 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 59 PID 4488 wrote to memory of 4048 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 60 PID 4488 wrote to memory of 668 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 61 PID 4488 wrote to memory of 3620 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 62 PID 4488 wrote to memory of 4644 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 64 PID 4488 wrote to memory of 2816 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 76 PID 4488 wrote to memory of 780 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 8 PID 4488 wrote to memory of 788 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 9 PID 4488 wrote to memory of 1016 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 13 PID 4488 wrote to memory of 2552 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 44 PID 4488 wrote to memory of 2564 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 45 PID 4488 wrote to memory of 2740 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 48 PID 4488 wrote to memory of 3560 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 56 PID 4488 wrote to memory of 3696 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 57 PID 4488 wrote to memory of 3872 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 58 PID 4488 wrote to memory of 3972 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 59 PID 4488 wrote to memory of 4048 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 60 PID 4488 wrote to memory of 668 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 61 PID 4488 wrote to memory of 3620 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 62 PID 4488 wrote to memory of 4644 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 64 PID 4488 wrote to memory of 2816 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 76 PID 4488 wrote to memory of 780 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 8 PID 4488 wrote to memory of 788 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 9 PID 4488 wrote to memory of 1016 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 13 PID 4488 wrote to memory of 2552 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 44 PID 4488 wrote to memory of 2564 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 45 PID 4488 wrote to memory of 2740 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 48 PID 4488 wrote to memory of 3560 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 56 PID 4488 wrote to memory of 3696 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 57 PID 4488 wrote to memory of 3872 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 58 PID 4488 wrote to memory of 3972 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 59 PID 4488 wrote to memory of 4048 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 60 PID 4488 wrote to memory of 668 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 61 PID 4488 wrote to memory of 3620 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 62 PID 4488 wrote to memory of 4644 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 64 PID 4488 wrote to memory of 2816 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 76 PID 4488 wrote to memory of 780 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 8 PID 4488 wrote to memory of 788 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 9 PID 4488 wrote to memory of 1016 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 13 PID 4488 wrote to memory of 2552 4488 ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe 44 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2564
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebee0485e7675aafab5adda9616b9157_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4488
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3872
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4048
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4644
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:984
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5ddc9ea8e629c27089a70102dc59f4916
SHA195426ece6741c2e0af35d9ded7fb75f6505b898c
SHA256c40a3afac00ae5d455f395ff4cc2a4403a8cc846b1daed89cc507a7b294a79fb
SHA512d4b31e8afce13d5d0ea3ce438955603d33e0ee576fe73d93fcc1f8754daed30e13d23c7e49b408b3e4604e3dc67a0a776f4c28c298a04dfa535bc2659063bffd
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
100KB
MD5a16a736ed49331a107510bd8f7cb1951
SHA1252fdc0858ac89aa10e3898c77ee59c21453c6ec
SHA25648a10448c948cf9d882415e2fd5a21c3d875e97e1a8b121eb3b7cf8e61bbbc95
SHA5122aa19b73fedc1a33cf1d26699da5c313e2b5374a83097ee52825e772b908a670b73ec7e1721fdb45efad65ee09d9c7fb6f188e22b7e5604e7afa577bed07c9b1