Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 05:49
Static task
static1
Behavioral task
behavioral1
Sample
f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe
-
Size
100KB
-
MD5
f29472b941613ed18d2d65a797139dbd
-
SHA1
83e6b61b2232bdbdcdb92f88f1df03eaed290fa8
-
SHA256
f0a5c4365d7d937f1ca285a6b6074c8bdd1dd9acf0d7ff0847b89445bd41f8e6
-
SHA512
928a86b67e20c24d9b0136fcc0de3cbabc125b79b5ca0fcd9e804efd29f89e746061b98741eac7e63fd1777d7c46dd29cb58cd6c5a31f4ca109cac74e93ab3dd
-
SSDEEP
1536:UbkNltaF3fghQwkHqecXHKeajGvaoP+BVY2L7DGM9lJFZMoJeB+Ya:UQNlto3fDwkVd3jGxOLjTjDeU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\U: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\L: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\O: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\R: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\S: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\W: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\Y: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\E: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\I: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\N: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\Z: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\K: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\M: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\P: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\Q: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\T: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\V: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\H: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\J: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened (read-only) \??\X: f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification F:\autorun.inf f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1624-1-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-3-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-9-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-4-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-11-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-5-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-8-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-13-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-14-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-15-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-16-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-17-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-18-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-19-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-20-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-22-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-23-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-25-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-27-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-28-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-30-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-33-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-34-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-37-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-39-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-40-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-41-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-42-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-44-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-43-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-46-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-47-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-54-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-56-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-58-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-60-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-61-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-63-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-65-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-66-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/1624-68-0x00000000021E0000-0x000000000326E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe Token: SeDebugPrivilege 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1624 wrote to memory of 800 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 9 PID 1624 wrote to memory of 808 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 10 PID 1624 wrote to memory of 380 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 13 PID 1624 wrote to memory of 3008 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 51 PID 1624 wrote to memory of 2268 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 52 PID 1624 wrote to memory of 1068 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 53 PID 1624 wrote to memory of 3444 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 56 PID 1624 wrote to memory of 3560 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 57 PID 1624 wrote to memory of 3756 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 58 PID 1624 wrote to memory of 3844 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 59 PID 1624 wrote to memory of 3908 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 60 PID 1624 wrote to memory of 3984 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 61 PID 1624 wrote to memory of 3548 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 62 PID 1624 wrote to memory of 4184 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 74 PID 1624 wrote to memory of 4892 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 76 PID 1624 wrote to memory of 3504 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 81 PID 1624 wrote to memory of 800 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 9 PID 1624 wrote to memory of 808 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 10 PID 1624 wrote to memory of 380 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 13 PID 1624 wrote to memory of 3008 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 51 PID 1624 wrote to memory of 2268 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 52 PID 1624 wrote to memory of 1068 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 53 PID 1624 wrote to memory of 3444 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 56 PID 1624 wrote to memory of 3560 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 57 PID 1624 wrote to memory of 3756 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 58 PID 1624 wrote to memory of 3844 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 59 PID 1624 wrote to memory of 3908 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 60 PID 1624 wrote to memory of 3984 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 61 PID 1624 wrote to memory of 3548 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 62 PID 1624 wrote to memory of 4184 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 74 PID 1624 wrote to memory of 4892 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 76 PID 1624 wrote to memory of 3504 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 81 PID 1624 wrote to memory of 800 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 9 PID 1624 wrote to memory of 808 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 10 PID 1624 wrote to memory of 380 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 13 PID 1624 wrote to memory of 3008 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 51 PID 1624 wrote to memory of 2268 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 52 PID 1624 wrote to memory of 1068 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 53 PID 1624 wrote to memory of 3444 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 56 PID 1624 wrote to memory of 3560 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 57 PID 1624 wrote to memory of 3756 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 58 PID 1624 wrote to memory of 3844 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 59 PID 1624 wrote to memory of 3908 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 60 PID 1624 wrote to memory of 3984 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 61 PID 1624 wrote to memory of 3548 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 62 PID 1624 wrote to memory of 4184 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 74 PID 1624 wrote to memory of 4892 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 76 PID 1624 wrote to memory of 800 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 9 PID 1624 wrote to memory of 808 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 10 PID 1624 wrote to memory of 380 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 13 PID 1624 wrote to memory of 3008 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 51 PID 1624 wrote to memory of 2268 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 52 PID 1624 wrote to memory of 1068 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 53 PID 1624 wrote to memory of 3444 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 56 PID 1624 wrote to memory of 3560 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 57 PID 1624 wrote to memory of 3756 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 58 PID 1624 wrote to memory of 3844 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 59 PID 1624 wrote to memory of 3908 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 60 PID 1624 wrote to memory of 3984 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 61 PID 1624 wrote to memory of 3548 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 62 PID 1624 wrote to memory of 4184 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 74 PID 1624 wrote to memory of 4892 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 76 PID 1624 wrote to memory of 800 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 9 PID 1624 wrote to memory of 808 1624 f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe 10 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2268
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f29472b941613ed18d2d65a797139dbd_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3548
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4184
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4892
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3504
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request156.133.100.95.in-addr.arpaIN PTRResponse156.133.100.95.in-addr.arpaIN PTRa95-100-133-156deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.73.42.20.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
156.133.100.95.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
28.73.42.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5f199921308bd81485e946995226d8b9b
SHA1b6acfa6de7b2d366c0e16deb047ff2d872a95314
SHA25619bd66f54177862c18ceda9b5048d104dc098545cd1bca55a2ad1f9ff6544439
SHA512b41fd1eb04eb98995934b09648dcaff1007c5877f5f67edac52c43a9b92955dd9b8adeb2657ccf679f6228e0698867a00281ba6c1ab9e04d61d3322242053c56