Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/12/2024, 03:13
Static task
static1
Behavioral task
behavioral1
Sample
f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f205f6e8cacbbd148e21a24b3c10ed17
-
SHA1
0649ff54ce49cda6f8cd07fad39744fa862cb861
-
SHA256
e30ff9d7795169a4023147ff15c43b9789cd3b5863d3bd1c3cda35a6b51f6653
-
SHA512
33b35811566df540ff9a3de9147f928b1741c7a5eb57e029cd67ceab5df7ed5b5c9181e5b0455d63bcb8b94494f33b7ce19064c2b676a3444452c6fbb81efa25
-
SSDEEP
24576:sfPeOAIwFTtFvW5AbgyjHnHoTcz6PYn9:GeOmFvWAzroTu7n
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\U: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\V: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\G: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\H: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\Q: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\T: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\Y: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\Z: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\I: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\M: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\N: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\R: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\S: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\W: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\E: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\J: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\O: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\X: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\K: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\L: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification F:\autorun.inf f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2572-3-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-4-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-8-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-6-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-7-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-11-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-5-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-12-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-13-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-132-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-133-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-148-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-150-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-152-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-224-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-226-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-228-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-230-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-240-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-241-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-243-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-249-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-251-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx behavioral1/memory/2572-253-0x0000000001F70000-0x0000000002FFE000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1640 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 31 PID 2572 wrote to memory of 1764 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 32 PID 2572 wrote to memory of 608 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 33 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 PID 2572 wrote to memory of 1264 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 19 PID 2572 wrote to memory of 1348 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 20 PID 2572 wrote to memory of 1408 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 21 PID 2572 wrote to memory of 1708 2572 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1264
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2572
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1708
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1764
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:608
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
5KB
MD5653b1d4b5b7bfc5032a9599ab11fb2a5
SHA18b0aab9cab6782cf0513120ecbff95e46055e7c1
SHA25638df0169aa16fbfd0c22dbd51274b890e21b6d371f3babff323d53dc35a11fd3
SHA512a6feea252e720965154964790fb772eaa7b97567bee46c1df68af439fe9280013f7d156407ddba8faa29fd5c58efa4c1e6509f0500b849e0a173149ac1ea6895
-
Filesize
506B
MD55335f1c12201b5f7cf5f8b4f5692e3d1
SHA113807a10369f7ff9ab3f9aba18135bccb98bec2d
SHA256974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda
SHA5120d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df
-
Filesize
22KB
MD520633a7c3ad6d9349fcea90618768c6f
SHA1cc7c37c3d04e01a218af4a4174bd8a4a1c2cca25
SHA25626a340d3a48857ec755faf23b7d8f2614edb98f3585ea0ca69a19da1cbb94704
SHA51253d70ed2860ca27a2aaafb03381acde6082dce9af1cf03c752ad6c6a349a7f59103ac87bd07ead1ff8e4abb13aa995fcdb35f0616d263bea4b045afe9535575f
-
Filesize
322B
MD55b97212a9d8ad0865531c4941e20bde6
SHA161a0c546e8c2ac403ac2dc20587173c8e1418ffe
SHA256d78b9e6c8cb83728615c7664d95dd2c3f11afd7bb4c382b0388ace743e2305af
SHA5125ef7b48c1a543b370b9957a20821f802f5578bda83a4aa4ab6a8cb47d465da31fee9b2de709a439245d8526b337c35c0738f2f7ce6122da9e9600d25a3f84ab5
-
Filesize
753B
MD51d355763888440e1bf715cac79f74ef6
SHA155e535b136c6fceb7ade0f7d151624aa96afd2c5
SHA25635ea6c3c762385aeae9f5318a1f84375c906b05079bb738b765a42388feb6c49
SHA51274a2862fbd369aaa5400bd4bc75a3bc4c4689bfae9dafab1f220f9127509a234ac0587a31b84147ab7a775272e0377bbf469964c11dacbf721c45a30492aef11
-
Filesize
614B
MD5c8c780a3ec7f36b9ae05e61752cc181e
SHA1560b6e6988f1ae4704416e6e266963e4e9950188
SHA256c1007ad61bccf7dbfdd0b1f22c53423e744e431fc7eb99e07c3560f0ea20682a
SHA512cb1884a535d0dda494258292cca54a7272c4a0ece8784c28c094ac1d201930ce97fb1fdf14dc8f535e59199d4bc964a4121efa1584b4b777b726985d3dcda2f7
-
Filesize
7KB
MD5edb71146254d3b8ebae18607e801398c
SHA18775027da6f6cc19c72d20c7f1615a01112e5d3c
SHA2563e3610a947c3c6ced9971d16d4231ee3699f71f404894da4ce39090a8170c71a
SHA5124eb29933fcaed8ad368309377bdcf69cb4e9f469d0c882d5ddd2fa3b0723d0ced29480ec024cab44b86b737351d49471d58601b121bb380079c5c696164f8d20
-
Filesize
461B
MD548db0a8b2ffb2e065893a768882a7ceb
SHA1170dfe44bf252343fddad3b45dd0673c2e7ae635
SHA2566600b196e680fe7e68464fb03d0283f0c3dca915acb328a2933072bc38755892
SHA512f354ca7b682e945533971a8a0aca842405625638a3b612e835193f395f850ca4ae669c028e63ca32502c7054b30dd86870b7ec014c2afeb0ddad2f25cc4bb808
-
Filesize
249B
MD5aa21d08bebaaa9a8ad4eaa07e7acc7f1
SHA1f6dfe9218347b6724a4c437326a23b7b5ef6a26b
SHA256174f5f673d324cf79235e265a99d6af57c6a181336de7941e0a2bd02d6c8a19c
SHA5127606bd0465fec1f8e671e19652d97e0ebb3305938b761ee6797e71108f557ba30f6e5ce8ccfd69591f8f4a24391b620ee530567dcdcbfcbdfaaf67d07689a428
-
Filesize
297B
MD5c023746db5223d69e882274ecf7ceec2
SHA1dc96b3b697782a8fef2a224ff1b8127e3c6f8ded
SHA256eb33cc6256f3e09ddc74b4cb4f318e2b5b66d7aa17498fca2ad2e6ef88183262
SHA5127df40a0bd67fcb945d97ed42b82acb98d6effdf57786013d2a035817937bd04251f878c924237fb9353a16807f95019b4de650ac8b07c1b5f78069eaed4d0a67
-
Filesize
694B
MD5486f87357936385fdd4cea6687a1dd48
SHA13c46febc4f1750319bba0d24afd93d9ce81e7fee
SHA256e227f2d334164b685eb3644cca6ede68b2e80a22b153e9b3c71d1a1795e484a6
SHA512f1647f028a0c2504244d5294021ee4bd03818cc481baac3542459df637256fc0b4c8b79d2c0acb106de7ac92ccef9d38b1037c9c640e8b68c2cff14487b0d7da
-
Filesize
375B
MD5d068ae67dab5294d4d4a8483f530580b
SHA147a248d05c0da33937f4881521382db4634f1c06
SHA2565a5a5d2acb4172d045762acbde33ccb35b96f347eeebfd3e0f4713b8d24a0505
SHA5120fcfa96b0f6ff303e912ba61d7621dd31f3759e6d816bb8cd43bbb28b07d24e6d2ed9d8eae3e6bd81fdc35a3456c57f4712b26b634c8b40dd3f2f020b10c1df0
-
Filesize
2KB
MD50711ca47172fd4db4cfc3a26bcf1abea
SHA1ad78d20b1cad9a17193433b88848db81356c8718
SHA2562f7d6b7184e4e3bf114d90f2c65ff1a4a660a19ff1f885b843ba5af2da007852
SHA512707ccecc38009b6f0551c3c40647b4288589ef0d115a2b7af2cd25cb735fac853032495ef9e83d24f9c4e54091e5c6d2dc3cfd9e6460e3b06160454686e30cce
-
Filesize
100KB
MD576d69e4008c7fc21aaf5d395eea9be93
SHA116c881885f24ed658a08676937450d37eea6cb6c
SHA256c9525c4e8cae40928ef00b55ea850ea635ba0a14f8c7fd0be54ebf2bfba24ab0
SHA5122185f3d2f26a3bd15d59353cbcbd68db3a064e0f0ca4fd180655f5d47d7c6d9d71b5b5c94c28409e2549bb476cf358d1eda051327be22e24d42e2c65d0f11397
-
Filesize
1.1MB
MD5f205f6e8cacbbd148e21a24b3c10ed17
SHA10649ff54ce49cda6f8cd07fad39744fa862cb861
SHA256e30ff9d7795169a4023147ff15c43b9789cd3b5863d3bd1c3cda35a6b51f6653
SHA51233b35811566df540ff9a3de9147f928b1741c7a5eb57e029cd67ceab5df7ed5b5c9181e5b0455d63bcb8b94494f33b7ce19064c2b676a3444452c6fbb81efa25