Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2024, 03:13
Static task
static1
Behavioral task
behavioral1
Sample
f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
f205f6e8cacbbd148e21a24b3c10ed17
-
SHA1
0649ff54ce49cda6f8cd07fad39744fa862cb861
-
SHA256
e30ff9d7795169a4023147ff15c43b9789cd3b5863d3bd1c3cda35a6b51f6653
-
SHA512
33b35811566df540ff9a3de9147f928b1741c7a5eb57e029cd67ceab5df7ed5b5c9181e5b0455d63bcb8b94494f33b7ce19064c2b676a3444452c6fbb81efa25
-
SSDEEP
24576:sfPeOAIwFTtFvW5AbgyjHnHoTcz6PYn9:GeOmFvWAzroTu7n
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\O: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\J: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\L: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\G: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\I: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\K: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\N: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\Q: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\R: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\S: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\T: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\E: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\W: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\X: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\U: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\M: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\V: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\Y: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\Z: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened (read-only) \??\H: f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification F:\autorun.inf f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1560-1-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-3-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-4-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-5-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-8-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-6-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-7-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-117-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-118-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-119-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-155-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-156-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-158-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-160-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-161-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-163-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-164-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-165-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-167-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-168-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-170-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-172-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-174-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-179-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-180-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-182-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-184-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-185-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-187-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-186-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-188-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-195-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-197-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-199-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-200-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-202-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-204-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-207-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-208-0x0000000002590000-0x000000000361E000-memory.dmp upx behavioral2/memory/1560-210-0x0000000002590000-0x000000000361E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe Token: SeDebugPrivilege 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1560 wrote to memory of 768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 8 PID 1560 wrote to memory of 776 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 9 PID 1560 wrote to memory of 60 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 13 PID 1560 wrote to memory of 2884 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 49 PID 1560 wrote to memory of 2932 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 50 PID 1560 wrote to memory of 3016 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 51 PID 1560 wrote to memory of 3460 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 56 PID 1560 wrote to memory of 3572 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 57 PID 1560 wrote to memory of 3760 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 58 PID 1560 wrote to memory of 3856 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 59 PID 1560 wrote to memory of 3924 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 60 PID 1560 wrote to memory of 4012 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 61 PID 1560 wrote to memory of 2264 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 62 PID 1560 wrote to memory of 2844 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 75 PID 1560 wrote to memory of 3544 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 76 PID 1560 wrote to memory of 3252 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 81 PID 1560 wrote to memory of 3768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 83 PID 1560 wrote to memory of 3768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 83 PID 1560 wrote to memory of 3768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 83 PID 1560 wrote to memory of 768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 8 PID 1560 wrote to memory of 776 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 9 PID 1560 wrote to memory of 60 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 13 PID 1560 wrote to memory of 2884 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 49 PID 1560 wrote to memory of 2932 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 50 PID 1560 wrote to memory of 3016 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 51 PID 1560 wrote to memory of 3460 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 56 PID 1560 wrote to memory of 3572 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 57 PID 1560 wrote to memory of 3760 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 58 PID 1560 wrote to memory of 3856 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 59 PID 1560 wrote to memory of 3924 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 60 PID 1560 wrote to memory of 4012 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 61 PID 1560 wrote to memory of 2264 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 62 PID 1560 wrote to memory of 2844 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 75 PID 1560 wrote to memory of 3544 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 76 PID 1560 wrote to memory of 3252 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 81 PID 1560 wrote to memory of 768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 8 PID 1560 wrote to memory of 776 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 9 PID 1560 wrote to memory of 60 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 13 PID 1560 wrote to memory of 2884 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 49 PID 1560 wrote to memory of 2932 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 50 PID 1560 wrote to memory of 3016 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 51 PID 1560 wrote to memory of 3460 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 56 PID 1560 wrote to memory of 3572 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 57 PID 1560 wrote to memory of 3760 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 58 PID 1560 wrote to memory of 3856 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 59 PID 1560 wrote to memory of 3924 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 60 PID 1560 wrote to memory of 4012 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 61 PID 1560 wrote to memory of 2264 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 62 PID 1560 wrote to memory of 2844 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 75 PID 1560 wrote to memory of 3544 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 76 PID 1560 wrote to memory of 768 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 8 PID 1560 wrote to memory of 776 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 9 PID 1560 wrote to memory of 60 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 13 PID 1560 wrote to memory of 2884 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 49 PID 1560 wrote to memory of 2932 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 50 PID 1560 wrote to memory of 3016 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 51 PID 1560 wrote to memory of 3460 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 56 PID 1560 wrote to memory of 3572 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 57 PID 1560 wrote to memory of 3760 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 58 PID 1560 wrote to memory of 3856 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 59 PID 1560 wrote to memory of 3924 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 60 PID 1560 wrote to memory of 4012 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 61 PID 1560 wrote to memory of 2264 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 62 PID 1560 wrote to memory of 2844 1560 f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe 75 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2932
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3016
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f205f6e8cacbbd148e21a24b3c10ed17_JaffaCakes118.exe" /_ShowProgress3⤵PID:3768
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2264
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3544
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3252
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
5KB
MD5653b1d4b5b7bfc5032a9599ab11fb2a5
SHA18b0aab9cab6782cf0513120ecbff95e46055e7c1
SHA25638df0169aa16fbfd0c22dbd51274b890e21b6d371f3babff323d53dc35a11fd3
SHA512a6feea252e720965154964790fb772eaa7b97567bee46c1df68af439fe9280013f7d156407ddba8faa29fd5c58efa4c1e6509f0500b849e0a173149ac1ea6895
-
Filesize
506B
MD55335f1c12201b5f7cf5f8b4f5692e3d1
SHA113807a10369f7ff9ab3f9aba18135bccb98bec2d
SHA256974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda
SHA5120d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df
-
Filesize
22KB
MD520633a7c3ad6d9349fcea90618768c6f
SHA1cc7c37c3d04e01a218af4a4174bd8a4a1c2cca25
SHA25626a340d3a48857ec755faf23b7d8f2614edb98f3585ea0ca69a19da1cbb94704
SHA51253d70ed2860ca27a2aaafb03381acde6082dce9af1cf03c752ad6c6a349a7f59103ac87bd07ead1ff8e4abb13aa995fcdb35f0616d263bea4b045afe9535575f
-
Filesize
322B
MD55b97212a9d8ad0865531c4941e20bde6
SHA161a0c546e8c2ac403ac2dc20587173c8e1418ffe
SHA256d78b9e6c8cb83728615c7664d95dd2c3f11afd7bb4c382b0388ace743e2305af
SHA5125ef7b48c1a543b370b9957a20821f802f5578bda83a4aa4ab6a8cb47d465da31fee9b2de709a439245d8526b337c35c0738f2f7ce6122da9e9600d25a3f84ab5
-
Filesize
753B
MD51d355763888440e1bf715cac79f74ef6
SHA155e535b136c6fceb7ade0f7d151624aa96afd2c5
SHA25635ea6c3c762385aeae9f5318a1f84375c906b05079bb738b765a42388feb6c49
SHA51274a2862fbd369aaa5400bd4bc75a3bc4c4689bfae9dafab1f220f9127509a234ac0587a31b84147ab7a775272e0377bbf469964c11dacbf721c45a30492aef11
-
Filesize
614B
MD5c8c780a3ec7f36b9ae05e61752cc181e
SHA1560b6e6988f1ae4704416e6e266963e4e9950188
SHA256c1007ad61bccf7dbfdd0b1f22c53423e744e431fc7eb99e07c3560f0ea20682a
SHA512cb1884a535d0dda494258292cca54a7272c4a0ece8784c28c094ac1d201930ce97fb1fdf14dc8f535e59199d4bc964a4121efa1584b4b777b726985d3dcda2f7
-
Filesize
7KB
MD5edb71146254d3b8ebae18607e801398c
SHA18775027da6f6cc19c72d20c7f1615a01112e5d3c
SHA2563e3610a947c3c6ced9971d16d4231ee3699f71f404894da4ce39090a8170c71a
SHA5124eb29933fcaed8ad368309377bdcf69cb4e9f469d0c882d5ddd2fa3b0723d0ced29480ec024cab44b86b737351d49471d58601b121bb380079c5c696164f8d20
-
Filesize
461B
MD548db0a8b2ffb2e065893a768882a7ceb
SHA1170dfe44bf252343fddad3b45dd0673c2e7ae635
SHA2566600b196e680fe7e68464fb03d0283f0c3dca915acb328a2933072bc38755892
SHA512f354ca7b682e945533971a8a0aca842405625638a3b612e835193f395f850ca4ae669c028e63ca32502c7054b30dd86870b7ec014c2afeb0ddad2f25cc4bb808
-
Filesize
249B
MD5aa21d08bebaaa9a8ad4eaa07e7acc7f1
SHA1f6dfe9218347b6724a4c437326a23b7b5ef6a26b
SHA256174f5f673d324cf79235e265a99d6af57c6a181336de7941e0a2bd02d6c8a19c
SHA5127606bd0465fec1f8e671e19652d97e0ebb3305938b761ee6797e71108f557ba30f6e5ce8ccfd69591f8f4a24391b620ee530567dcdcbfcbdfaaf67d07689a428
-
Filesize
297B
MD5c023746db5223d69e882274ecf7ceec2
SHA1dc96b3b697782a8fef2a224ff1b8127e3c6f8ded
SHA256eb33cc6256f3e09ddc74b4cb4f318e2b5b66d7aa17498fca2ad2e6ef88183262
SHA5127df40a0bd67fcb945d97ed42b82acb98d6effdf57786013d2a035817937bd04251f878c924237fb9353a16807f95019b4de650ac8b07c1b5f78069eaed4d0a67
-
Filesize
694B
MD5486f87357936385fdd4cea6687a1dd48
SHA13c46febc4f1750319bba0d24afd93d9ce81e7fee
SHA256e227f2d334164b685eb3644cca6ede68b2e80a22b153e9b3c71d1a1795e484a6
SHA512f1647f028a0c2504244d5294021ee4bd03818cc481baac3542459df637256fc0b4c8b79d2c0acb106de7ac92ccef9d38b1037c9c640e8b68c2cff14487b0d7da
-
Filesize
375B
MD5d068ae67dab5294d4d4a8483f530580b
SHA147a248d05c0da33937f4881521382db4634f1c06
SHA2565a5a5d2acb4172d045762acbde33ccb35b96f347eeebfd3e0f4713b8d24a0505
SHA5120fcfa96b0f6ff303e912ba61d7621dd31f3759e6d816bb8cd43bbb28b07d24e6d2ed9d8eae3e6bd81fdc35a3456c57f4712b26b634c8b40dd3f2f020b10c1df0
-
Filesize
100KB
MD58be2cfb4a92ed0b6a54e58a8e1766f8b
SHA122eb8957a516bfbaf0595be468a286cd8752c051
SHA256f4746749d52b6351389501147b4efec3f68cc06c20647197ba010b618bee99c3
SHA512ea26586bf82d43b337fba0c8c4edc9ea77ccfc1a50a650c9ea8799b387f0c1cc7185a64570037f32910fc3121fd78f29fbd4bc3e99829267e2219cc57104bcd2