Analysis
-
max time kernel
122s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe
-
Size
100KB
-
MD5
f1d91b0bd10d9d026aac1fa3139a306f
-
SHA1
96582a0adb131012dcacd4d3254350eab06ad3b3
-
SHA256
c45bf646139646c7851cde0eaefe068ef9f445dbd737cb0740a60d7bbad5c24a
-
SHA512
7a0105b611c4f1eb62879ebe635d2d344f155368508cf61f7fa3fee945b0fad79fbef0955318e8380f26dbf103ccb61fcdf5cbe4abcc7da168fcbb7cd66c4af8
-
SSDEEP
3072:DJCc0oYnO+ZvYWCXT3YKG9jjzBzQGwIcNSWLF7XCl:lpJ+9psTY/xjzxjwIcIWCl
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\M: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\Q: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\S: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\T: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\U: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\E: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\I: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\V: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\Z: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\W: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\O: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\R: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\J: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\N: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\X: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\G: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\H: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\Y: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\K: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened (read-only) \??\P: f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened for modification F:\autorun.inf f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2124-3-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-5-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-6-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-21-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-4-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-7-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-26-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-25-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-27-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-28-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-29-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-30-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-32-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-31-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-34-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-35-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-51-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-53-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-55-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-57-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-58-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-60-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-62-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-65-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-67-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx behavioral1/memory/2124-70-0x0000000001EB0000-0x0000000002F3E000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe Token: SeDebugPrivilege 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 PID 2124 wrote to memory of 1100 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 19 PID 2124 wrote to memory of 1156 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 20 PID 2124 wrote to memory of 1204 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 21 PID 2124 wrote to memory of 1664 2124 f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1d91b0bd10d9d026aac1fa3139a306f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD502aff1455cf75a7bbb62c0d41a6d1705
SHA1b88337a2bd463f5cc33318d10f6ce467383ea2ae
SHA256c8b31d7454186764f4bcc4bdfa58cae2702a649d4f0c61990892284d8af39519
SHA512566fac6b0e82e4ce6ddc9ba1a9bf213087e7b0449168b9055765105c9b532b8277ad377e4c6147fb1502f314abe115cb34d8543e3fae1b092f392f8998cb4c28