Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
General
-
Target
f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe
-
Size
125KB
-
MD5
f1e7e1001aeb2e61073278dd03a57f69
-
SHA1
f3c6a4b785974217c1a1af914b19a6cdb0d8c5ab
-
SHA256
646c5fa222b322fee4fd877e378ed1f555bd3ce081e2b32c810a2025fc923a85
-
SHA512
78a1bed0442ecd39f1b9ac252e2d70909b03206efe735597eb55c80d68d78cdeb474384fbb69defe83efff2d7211e4e596b103ed65c1bd0d51daa026c4ac30e6
-
SSDEEP
3072:dQIeRTXJSceAbl+mHa+iNn8PhTjuiCWLm:dmUmp+mHXiNnssHKm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" netsh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" netsh.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" netsh.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" Au_.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4008 netsh.exe 3536 netsh.exe 4052 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2364 Au_.exe -
Loads dropped DLL 1 IoCs
pid Process 2364 Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
resource yara_rule behavioral2/memory/2244-1-0x00000000023B0000-0x00000000033E2000-memory.dmp upx behavioral2/memory/2244-6-0x00000000023B0000-0x00000000033E2000-memory.dmp upx behavioral2/memory/2244-26-0x00000000023B0000-0x00000000033E2000-memory.dmp upx behavioral2/memory/2244-4-0x00000000023B0000-0x00000000033E2000-memory.dmp upx behavioral2/memory/4008-45-0x0000000002C20000-0x0000000003C52000-memory.dmp upx behavioral2/memory/4008-48-0x0000000002C20000-0x0000000003C52000-memory.dmp upx behavioral2/memory/4008-63-0x0000000002C20000-0x0000000003C52000-memory.dmp upx behavioral2/memory/2364-144-0x0000000004BD0000-0x0000000005C02000-memory.dmp upx behavioral2/memory/2364-145-0x0000000004BD0000-0x0000000005C02000-memory.dmp upx behavioral2/memory/2364-143-0x0000000004BD0000-0x0000000005C02000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0008000000023c5f-23.dat nsis_installer_1 behavioral2/files/0x0008000000023c5f-23.dat nsis_installer_2 behavioral2/files/0x0008000000023c60-38.dat nsis_installer_1 behavioral2/files/0x0008000000023c60-38.dat nsis_installer_2 -
Modifies registry class 55 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.rar\shell\open\command Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.7z\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.gz\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tar\shell Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bzip2\shell Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.7z\shell\open\command Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.7z\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tar\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bz2\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tar\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.7z Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bzip2\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.rar Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.7z\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tar\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.rar\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bz2 Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tar\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tgz Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.7z\shell Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tgz\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open\command Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bz2\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.gz\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tar\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tar Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tgz\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.tgz\shell\open\command Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bzip2 Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bz2\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.bzip2\shell\open\command Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.gz Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.7z\shell Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.gz\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\shell\open\command Au_.exe Key deleted \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\7-Zip.rar\shell\open Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell Au_.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip Au_.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 4008 netsh.exe 4008 netsh.exe 2364 Au_.exe 2364 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Token: SeDebugPrivilege 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 4008 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 82 PID 2244 wrote to memory of 4008 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 82 PID 2244 wrote to memory of 4008 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 82 PID 2244 wrote to memory of 760 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 8 PID 2244 wrote to memory of 768 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 9 PID 2244 wrote to memory of 64 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 13 PID 2244 wrote to memory of 2716 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 45 PID 2244 wrote to memory of 2768 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 47 PID 2244 wrote to memory of 2964 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 53 PID 2244 wrote to memory of 3500 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 56 PID 2244 wrote to memory of 3668 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 57 PID 2244 wrote to memory of 3832 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 58 PID 2244 wrote to memory of 3924 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 59 PID 2244 wrote to memory of 3996 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 60 PID 2244 wrote to memory of 4076 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 61 PID 2244 wrote to memory of 4108 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 62 PID 2244 wrote to memory of 2960 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 74 PID 2244 wrote to memory of 3732 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 76 PID 2244 wrote to memory of 4008 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 82 PID 2244 wrote to memory of 4008 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 82 PID 2244 wrote to memory of 2364 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 84 PID 2244 wrote to memory of 2364 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 84 PID 2244 wrote to memory of 2364 2244 f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe 84 PID 4008 wrote to memory of 3536 4008 netsh.exe 85 PID 4008 wrote to memory of 3536 4008 netsh.exe 85 PID 4008 wrote to memory of 3536 4008 netsh.exe 85 PID 4008 wrote to memory of 760 4008 netsh.exe 8 PID 4008 wrote to memory of 768 4008 netsh.exe 9 PID 4008 wrote to memory of 64 4008 netsh.exe 13 PID 4008 wrote to memory of 2716 4008 netsh.exe 45 PID 4008 wrote to memory of 2768 4008 netsh.exe 47 PID 4008 wrote to memory of 2964 4008 netsh.exe 53 PID 4008 wrote to memory of 3500 4008 netsh.exe 56 PID 4008 wrote to memory of 3668 4008 netsh.exe 57 PID 4008 wrote to memory of 3832 4008 netsh.exe 58 PID 4008 wrote to memory of 3924 4008 netsh.exe 59 PID 4008 wrote to memory of 3996 4008 netsh.exe 60 PID 4008 wrote to memory of 4076 4008 netsh.exe 61 PID 4008 wrote to memory of 4108 4008 netsh.exe 62 PID 4008 wrote to memory of 2960 4008 netsh.exe 74 PID 4008 wrote to memory of 3732 4008 netsh.exe 76 PID 4008 wrote to memory of 4560 4008 netsh.exe 83 PID 4008 wrote to memory of 2364 4008 netsh.exe 84 PID 4008 wrote to memory of 2364 4008 netsh.exe 84 PID 4008 wrote to memory of 3536 4008 netsh.exe 85 PID 4008 wrote to memory of 3536 4008 netsh.exe 85 PID 2364 wrote to memory of 1488 2364 Au_.exe 86 PID 2364 wrote to memory of 1488 2364 Au_.exe 86 PID 2364 wrote to memory of 1488 2364 Au_.exe 86 PID 2364 wrote to memory of 4052 2364 Au_.exe 87 PID 2364 wrote to memory of 4052 2364 Au_.exe 87 PID 2364 wrote to memory of 4052 2364 Au_.exe 87 PID 2364 wrote to memory of 760 2364 Au_.exe 8 PID 2364 wrote to memory of 768 2364 Au_.exe 9 PID 2364 wrote to memory of 64 2364 Au_.exe 13 PID 2364 wrote to memory of 2716 2364 Au_.exe 45 PID 2364 wrote to memory of 2768 2364 Au_.exe 47 PID 2364 wrote to memory of 2964 2364 Au_.exe 53 PID 2364 wrote to memory of 3500 2364 Au_.exe 56 PID 2364 wrote to memory of 3668 2364 Au_.exe 57 PID 2364 wrote to memory of 3832 2364 Au_.exe 58 PID 2364 wrote to memory of 3924 2364 Au_.exe 59 PID 2364 wrote to memory of 3996 2364 Au_.exe 60 PID 2364 wrote to memory of 4076 2364 Au_.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2768
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2964
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1e7e1001aeb2e61073278dd03a57f69_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2244 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4560
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3536
-
-
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s "C:\Users\Admin\AppData\Local\Temp\7-zip.dll"4⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4052
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3732
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD578e662d435a8e1f5b9ced236fd331856
SHA160a9caf60870d077a73720e9077092d4297fdccd
SHA256f890411345438843d6fcba804d8c38dea1d43b9e327420752cc4a40eb4b49349
SHA5127e4d9e57d404ceff70e93c83ab6ba2a876f485f6febff81f5046d84e87f5bfae8c18a75afb32e0360f17e03ced4fe7ab2a600b6db8fd53fbde7c88661684e0ad
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
494B
MD580c50d8228fe5f1a7179ba04e5232be3
SHA19a8d44d6366ca2be37a7151949a3991cbc096c24
SHA2560b3a87281380119ac37a1e59b26f33bdabc2731cc388ff97a8992500f0e50437
SHA512127b57b7c027f82d87a6129fefe56237920ac398dc4bee013ead8303fbcf0da4b242dfe40cc9df7ba1c0b64dfaff7c255dd1fdfec1d11f2b6520346a67dc15d1
-
Filesize
125KB
MD5f1e7e1001aeb2e61073278dd03a57f69
SHA1f3c6a4b785974217c1a1af914b19a6cdb0d8c5ab
SHA256646c5fa222b322fee4fd877e378ed1f555bd3ce081e2b32c810a2025fc923a85
SHA51278a1bed0442ecd39f1b9ac252e2d70909b03206efe735597eb55c80d68d78cdeb474384fbb69defe83efff2d7211e4e596b103ed65c1bd0d51daa026c4ac30e6
-
Filesize
258B
MD5833e48eefdfadac4ded288e390c4f4ac
SHA163aa8ebe5b030235df94f548a5c96ea080b8bce1
SHA2566e9590176e45e46d16f54d6f3df52736aae9fe1c7e97d98c2b6beb3b1abbf4cd
SHA51281ffae5f6260db601fcd699c71c7311167475979119b4131a0dbcc17023b733bc2a840fe09046a3e33089e90edbbf4167b0954d36fcc0d0f3bf091fb0439eed4