Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 05:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
14 signatures
150 seconds
General
-
Target
f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
f27cee8243c7fb02820bb696434ddf7a
-
SHA1
e59e81ddb54048c6780ad851423be2e9ca17f944
-
SHA256
2085f0ff4db0f32f394b5bc5265cd02553bdb60e09870b150d16e401a681e07f
-
SHA512
c5cbb6e96077cffaf826017f5c09a0508101c019e790bbb2f05fcc54e4d83a9b246d9f8c794d474f61547deff44f993472a1f7b574c516cb765273bab76e72a3
-
SSDEEP
12288:ft44anavi/9GJniw6U3Xq3gwUwoMTDU03ULgzyygn7iDE37f8evbSbhkXdL3q12d:2nannCUIzU8tUJywBf8GmbmXdL3E2So
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/2720-6-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-3-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-5-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-23-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-24-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-36-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-26-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-4-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-7-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/2720-1-0x00000000022F0000-0x000000000337E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
Modifies registry class 3 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\{737610D0-BCDA773D-233B1494-E817C81C}\ = 52cfb4ab2fb3d513b03d1d287099edcb47a21ea449bca017b0fe2a9743310a24fb4d15848ced385bd78a4ebd592b749a62b4bd9f1709b160a4f7ee1166cca1588f0de618403399a2c853e0327aac938585ef2f59664cc1053893d18a84c2206a199d48f7fbeeed78a4d11cb8356a5064b91fecf646115180c3e93a9f558900fcf7e81e1b494a443dc3685d9dcbf7c2ae9a86f3bed557cffe06566f0fd9e6f431b1dc3a8b551df04825e72c11e7c4ee7c98e9cb63250a2f05a6232e4a399b6872bd6bab2222b3dbad8ae462026a2c25b9802b49023c5b96f28fe2f98b14053f5cd6353f2c96183e7129907849ab40bd682bf9dad3b2bd126843ddf2f72daed8184ef719d13083d34a05c5938c4a8423b082575cbe7657e1fe3b96eaff5a69cbdf65b65090374fa1c6d8b08cd75b018ad0ddc4cb81223bab121d7348da2132075d0e08a725010c3fbbd62dc0f8a554033f4a16253f1ca936e0af84598d4f7be6ede064d6ed0fc7669ef0c8dd397750aec4c7fdb1ab981d7608d0058b90bd716868832135d89c0ef687d011fd04eb0c459b8c35a4dc72b7a3d12570509d09b7641e71896c9f6489ddfccb2addddcbb75aee8b467aded589439fc576fcefa859dbf7359e6088e1651ba032066bb1fddf14c901fc54eaff62298560832b15faf012907d36546fb326e5cf43194248e36115e77c4e15270cce1bc672be935785fe13974ab105a3cc054640010934c01d36f491523b3d2a54217700c9d3425866aef940116c3f05c3600c3b5fec361499a9e259131eb33a67dfc629c48dff8ff62a60a930492aa3bde56be3652a10bbc5ea70fa5d14088dbdfb97d581f013ecba30aced58878dee3b18adf3b8a5e8cc7c7857a9fe4728c127845e9cf68aeffb591588ccbfd829b7a021ae3cb91417b17e23e9e27b6d2a78232ff2e6525ef3489d258bb0fa61d2004ab8a5add39bba0d6cc4b9ec17a4b10d64d833c86a9ddd7734aedf38499020b775e190474cae1bb88ae963030a1da4b4c1228b055a5cb5b520e09bb8b5aeece744016d30c79f1ec937b86e90998ab32522d09d8f8b79a5900c46c5f0c369b2d86c8ee799b1b79f21f6b7d05e01f770e1ec8c052600108e3d39a810023355da30721a1b0b4adae30b5d8234445d3d8894be71286c8339b5d49f3e09977cf117e7ceee1826b58e1347c2fe93d60dbf3b29eafcc4aa8d45076c5ed9090cc42533fca2eb32c51b230ada9dcc48b967130e42f9056bcc1a5bcb72222db3c455603c0157d0cef0665f3fb6165f0ff6466eaf0799ce37396eecf966141ff13667efce7986d0be8d977b3155980c8ac75b7e8a57250ebcb96aabe5bdc317ddbe0896638ec579d0e84ea4a7919e83c8cd3fd856363f5156c88fe299ab371dde48c8039ec27733eea2f83a972b713aecabd805b42c13250a9cdb49323c6b9402b313e5fa2c5205cbbcba69542481c16f0b26e28f5ab9cdec67584e4bd90233836a857bfc9214fc3e6ad75df108a8a6208f57d93e4bd77a7e2b69622493d1f24f9459ff74299f6409d3c035425c0575fca0eafea3a93dbfe8e9f8c4ae4019d5c843e03aa76d7198944cfe1b978a419cd8b78c515bcfb28665dec00950fcc2d5f5cf9f79f690107c3815d7bc01d4a07336da2fca46a3bfdda9f7402e95d90c8c5b064def64f98353254d8078a257bcbe161741be18960bff22296d3f58d689c0dcda8873b86a911d43f4c5524003ed3aa76dfe982888dfdfc949a08010eb05dd6008df83094578c029f6e49e0237b5de2fc8e67d5f943643efea19648bce429915cf7006a3d1b2c0e2ec0d247893ecfd1beb323a65d3908a82c40553908a88bae31535fc6cd4d94dcb44a211d2fc336a52623b0d2ac47d5f94368cd11acbb3bdd568cf87061eb1b72fa1c68750ce07c6ee1fc6767fe096fb8e9527c09edeb6c89e233752eeccb9d96f73a6da30b3afa5e6d3e03a36ebe1baf7ead12304f2d1a3c4f5c01054f5409c51f4b461e19cbf88d6650e8059090c60184c339992733252537d0a947b736a6a9b5c72b71561bc006a8d1d44f453ecca993d7714aef33812697b18520cfd056b8c2204c37ded144443835abdb31422c3bbba952af04326ca2002892267ad2e07c7fed1a944db413234e3ed825b024ded04e78f7199acb0b81e12b782de7db614e183e74d017b882afee3a93a9f5389327cebab221d7b882af8c3af5a9933b3155a00cddda7779eeeb698d049cb9c6508d0db74751d1034c1edeb3b42ad6b185a4f7406d1610fa819c2b48362cd0b24c23fdc96490ea4396d14044dfdb8eb96bdff286925803091e7fb2155bbbc6ae81bdb4a4de5981cb73521d070c1e1e76f216694ee3059e5cc70fa11520bbd1aeb8bc21d6474c163989a8c73a6127f8d96bb7f55168cff24e9a04781718f1c3989af408655fefc56174ffe06685fc1b6bf90564f818674f1e1ab835af2cd64db93f285dc0f48b9a594bfb269d25cf5772fde4609dfe4096c20058170f3d35245fb3ced55848cde87f631df64c90f5bc68a6f7a46d4014f94c682ce6278bbafedd9b88c6e4499810bc37aca2b6425a3708265f2c35c1ab70be19dec343811513804d520734f126605e00c5b850a5ce309dd878bce3a462bf0e2a5d5ffbf16d601ceab18facb6afdfad7d50e8f87e631ded8088ad9fbcf6dd998748c5f4676bf9f29c983809a96f2be52694b98c2321c9377b55e6389aa3be4aaffba69539842c974c7930e0d87a7416e14c78dbe9b56728f9b3932ac65fb7fd596f33e12697d24284f65a653cf4ab9a5933fca963afe13a98aa3028563607a9b950d4ce43bb2aad57a736add2388b2dc534942c41bbc8ad5bc73569271745821f7b0e1e8847972a8eb9ee537df9e36485f27368e61987bb5aa5322b26d1a18f30a5a3d4bd4620fbba6d52e73065a0f0dc6584e75275c3eb716d171736ca2c6aa213c789729f120a0dd8c37c6de2f7606e19e88377c5e6848e5b9cf1399b570a0a1d0c807c20e3d876811c43c0d2b047a5d93b48d9c274b7ebae92b5f423664517fb056a8b13868ad59c730ae6bb865908c306453633252ebb57d50143d01a844586148cc27048e3f869671ce94590f88464311ca08823df5e8135afa0dec5885b3139a02ca6d03987ab4151f40b65e9049b46423ffb2e96a98fb4aede39ba57293ab82fa72d2937c0d95f883afd2d97270a5e1d0f3f6556ec0f98457804ed5e63f6f16068ffff9e9909b704ae3dbd5f583dc32f41d22c8b3fbe5d5ac4fd8a6f490df42c9ad1fdbb68ae082857d93e8cd98f8896e4787f18e64f82d56277f4e1687418e74c65d70b45912348daca7c55eb389a2fc52eaf464a1dfa749816010d6ff0fe926585fb3b66aaec52773ae2ab8fbd1120fbb3955a8fc1ed4f7ce9e27364e20c6cb0f3d46a8013cec15050fa0660451dfb449d024b91dd334c5ede07b0c12b83d2de8046211d5f0735e1a090d5cf88b6c6207255e90b7b4515c3049917c4ca97b202a73e3126d33475a1e8dc99b18ca713a5c2acbe33de568a00112cc354613017a005333c5da0c4c47c53e801776fe5068fb3bed5287b55eac8924209191cc8bba859230c3e3dd824b5aa28dea3b83aa55ddcccb9ac58cdfc576139f0a89850413a10dab04 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\{737610D0-BCDA773D-233B1494-E817C81C} f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\{737610D0-BCDA773D-233B1494-E817C81C}\ = 4d7adaa42fb3d513b03d1d287099edcb47a21ea449bca017b0fe2a9743310a24fb4d15848ced385bd78a4ebd592b749a62b4bd9f1709b160a4f7ee1166cca1588f0de618403399a2c853e0327aac938585ef2f59664cc1053893d18a84c2206a199d48f7fbeeed78a4d11cb8356a5064b91fecf646115180c3e93a9f558900fcf7e81e1b494a443dc3685d9dcbf7c2ae9a86f3bed557cffe06566f0fd9e6f431b6dc3a8b551df04825e72c11e7c4ee7c98e9cb63250a2f05a6232e4a399b6872bd6bab2222b3dbad8ae462026a2c25b9802b49023c5b96f28fe2f98b14053f5cd6353f2c96183e7129907849ab40bd682bf9dad3b2bd126843ddf2f72daed8184ef719d13083d34a05c5938c4a8423b082575cbe7657e1fe3b96eaff5a69cbdf65b65090374fa1c6d8b08cd75b018ad0ddc4cb81223bab121d7348da2132075d0e08a725010c3fbbd62dc0f8a554033f4a16253f1ca936e0af84598d4f7be6ede064d6ed0fc7669ef0c8dd397750aec4c7fdb1ab981d7608d0058b90bd716868832135d89c0ef687d011fd04eb0c459b8c35a4dc72b7a3d12570509d09b7641e71896c9f6489ddfccb2addddcbb75aee8b467aded589439fc576fcefa859dbf7359e6088e1651ba032066bb1fddf14c901fc54eaff62298560832b15faf012907d36546fb326e5cf43194248e36115e77c4e15270cce1bc672be935785fe13974ab105a3cc054640010934c01d36f491523b3d2a54217700c9d3425866aef940116c3f05c3600c3b5fec361499a9e259131eb33a67dfc629c48dff8ff62a60a930492aa3bde56be3652a10bbc5ea70fa5d14088dbdfb97d581f013ecba30aced58878dee3b18adf3b8a5e8cc7c7857a9fe4728c127845e9cf68aeffb591588ccbfd829b7a021ae3cb91417b17e23e9e27b6d2a78232ff2e6525ef3489d258bb0fa61d2004ab8a5add39bba0d6cc4b9ec17a4b10d64d833c86a9ddd7734aedf38499020b775e190474cae1bb88ae963030a1da4b4c1228b055a5cb5b520e09bb8b5aeece744016d30c79f1ec937b86e90998ab32522d09d8f8b79a5900c46c5f0c369b2d86c8ee799b1b79f21f6b7d05e01f770e1ec8c052600108e3d39a810023355da30721a1b0b4adae30b5d8234445d3d8894be71286c8339b5d49f3e09977cf117e7ceee1826b58e1347c2fe93d60dbf3b29eafcc4aa8d45076c5ed9090cc42533fca2eb32c51b230ada9dcc48b967130e42f9056bcc1a5bcb72222db3c455603c0157d0cef0665f3fb6165f0ff6466eaf0799ce37396eecf966141ff13667efce7986d0be8d977b3155980c8ac75b7e8a57250ebcb96aabe5bdc317ddbe0896638ec579d0e84ea4a7919e83c8cd3fd856363f5156c88fe299ab371dde48c8039ec27733eea2f83a972b713aecabd805b42c13250a9cdb49323c6b9402b313e5fa2c5205cbbcba69542481c16f0b26e28f5ab9cdec67584e4bd90233836a857bfc9214fc3e6ad75df108a8a6208f57d93e4bd77a7e2b69622493d1f24f9459ff74299f6409d3c035425c0575fca0eafea3a93dbfe8e9f8c4ae4019d5c843e03aa76d7198944cfe1b978a419cd8b78c515bcfb28665dec00950fcc2d5f5cf9f79f690107c3815d7bc01d4a07336da2fca46a3bfdda9f7402e95d90c8c5b064def64f98353254d8078a257bcbe161741be18960bff22296d3f58d689c0dcda8873b86a911d43f4c5524003ed3aa76dfe982888dfdfc949a08010eb05dd6008df83094578c029f6e49e0237b5de2fc8e67d5f943643efea19648bce429915cf7006a3d1b2c0e2ec0d247893ecfd1beb323a65d3908a82c40553908a88bae31535fc6cd4d94dcb44a211d2fc336a52623b0d2ac47d5f94368cd11acbb3bdd568cf87061eb1b72fa1c68750ce07c6ee1fc6767fe096fb8e9527c09edeb6c89e233752eeccb9d96f73a6da30b3afa5e6d3e03a36ebe1baf7ead12304f2d1a3c4f5c01054f5409c51f4b461e19cbf88d6650e8059090c60184c339992733252537d0a947b736a6a9b5c72b71561bc006a8d1d44f453ecca993d7714aef33812697b18520cfd056b8c2204c37ded144443835abdb31422c3bbba952af04326ca2002892267ad2e07c7fed1a944db413234e3ed825b024ded04e78f7199acb0b81e12b782de7db614e183e74d017b882afee3a93a9f5389327cebab221d7b882af8c3af5a9933b3155a00cddda7779eeeb698d049cb9c6508d0db74751d1034c1edeb3b42ad6b185a4f7406d1610fa819c2b48362cd0b24c23fdc96490ea4396d14044dfdb8eb96bdff286925803091e7fb2155bbbc6ae81bdb4a4de5981cb73521d070c1e1e76f216694ee3059e5cc70fa11520bbd1aeb8bc21d6474c163989a8c73a6127f8d96bb7f55168cff24e9a04781718f1c3989af408655fefc56174ffe06685fc1b6bf90564f818674f1e1ab835af2cd64db93f285dc0f48b9a594bfb269d25cf5772fde4609dfe4096c20058170f3d35245fb3ced55848cde87f631df64c90f5bc68a6f7a46d4014f94c682ce6278bbafedd9b88c6e4499810bc37aca2b6425a3708265f2c35c1ab70be19dec343811513804d520734f126605e00c5b850a5ce309dd878bce3a462bf0e2a5d5ffbf16d601ceab18facb6afdfad7d50e8f87e631ded8088ad9fbcf6dd998748c5f4676bf9f29c983809a96f2be52694b98c2321c9377b55e6389aa3be4aaffba69539842c974c7930e0d87a7416e14c78dbe9b56728f9b3932ac65fb7fd596f33e12697d24284f65a653cf4ab9a5933fca963afe13a98aa3028563607a9b950d4ce43bb2aad57a736add2388b2dc534942c41bbc8ad5bc73569271745821f7b0e1e8847972a8eb9ee537df9e36485f27368e61987bb5aa5322b26d1a18f30a5a3d4bd4620fbba6d52e73065a0f0dc6584e75275c3eb716d171736ca2c6aa213c789729f120a0dd8c37c6de2f7606e19e88377c5e6848e5b9cf1399b570a0a1d0c807c20e3d876811c43c0d2b047a5d93b48d9c274b7ebae92b5f423664517fb056a8b13868ad59c730ae6bb865908c306453633252ebb57d50143d01a844586148cc27048e3f869671ce94590f88464311ca08823df5e8135afa0dec5885b3139a02ca6d03987ab4151f40b65e9049b46423ffb2e96a98fb4aede39ba57293ab82fa72d2937c0d95f883afd2d97270a5e1d0f3f6556ec0f98457804ed5e63f6f16068ffff9e9909b704ae3dbd5f583dc32f41d22c8b3fbe5d5ac4fd8a6f490df42c9ad1fdbb68ae082857d93e8cd98f8896e4787f18e64f82d56277f4e1687418e74c65d70b45912348daca7c55eb389a2fc52eaf464a1dfa749816010d6ff0fe926585fb3b66aaec52773ae2ab8fbd1120fbb3955a8fc1ed4f7ce9e27364e20c6cb0f3d46a8013cec15050fa0660451dfb449d024b91dd334c5ede07b0c12b83d2de8046211d5f0735e1a090d5cf88b6c6207255e90b7b4515c3049917c4ca97b202a73e3126d33475a1e8dc99b18ca713a5c2acbe33de568a00112cc354613017a005333c5da0c4c47c53e801776fe5068fb3bed5287b55eac8924209191cc8bba859230c3e3dd824b5aa28dea3b83aa55ddcccb9ac58cdfc576139f0a89850413a10dab04 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe Token: SeDebugPrivilege 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2720 wrote to memory of 784 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 8 PID 2720 wrote to memory of 792 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 9 PID 2720 wrote to memory of 336 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 13 PID 2720 wrote to memory of 2756 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 49 PID 2720 wrote to memory of 2772 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 50 PID 2720 wrote to memory of 3004 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 51 PID 2720 wrote to memory of 3496 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 56 PID 2720 wrote to memory of 3628 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 57 PID 2720 wrote to memory of 3820 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 58 PID 2720 wrote to memory of 3912 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 59 PID 2720 wrote to memory of 4024 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 60 PID 2720 wrote to memory of 2648 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 61 PID 2720 wrote to memory of 4220 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 62 PID 2720 wrote to memory of 4392 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 75 PID 2720 wrote to memory of 4100 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 76 PID 2720 wrote to memory of 3812 2720 f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe 81 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2772
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3004
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f27cee8243c7fb02820bb696434ddf7a_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3628
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2648
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4220
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4392
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59b598855e5c020b37687ab488eafc7fd
SHA1a63c22507abb5a28e312c844b79e2f140bb11b8b
SHA256e34cab8642f9fc94c18935af591727a923a65a54458ec5fb7709646fae44d027
SHA5125f1b1b18db3f181593cba6462b44f7947c140101b712fb9648c32213ad0daf55c07cd9e1944da6f28c6fffd4c8358cbe1bd4541da50adba803254bb2e6b60513