Analysis
-
max time kernel
22s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 13:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
8 signatures
150 seconds
General
-
Target
f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
-
Size
234KB
-
MD5
f42b5ff4ab691b9af3c72cdfda43d419
-
SHA1
9759512749bdc88c0430b2e664e055f07e46f66b
-
SHA256
b1ea57d7569fec7d244810cb77a4bfe3220104afab20918febcd44743eeb7e2e
-
SHA512
ac478171a959eae1517043f8607790bec0840648ef96075d8882235b058ab2b44cc92e924e39108da82598b72a865c8775fcb20c4afefa97e2bc26693c9b2cb6
-
SSDEEP
3072:m1GQp9T0SQmaEDqSpDZcYLWF95uiLztGtCTrHLgr:P23gIpUF95tzv3gr
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3128 YFreeze.exe 1428 server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1428-22-0x00000000021B0000-0x00000000031E0000-memory.dmp upx behavioral2/memory/1428-20-0x00000000021B0000-0x00000000031E0000-memory.dmp upx behavioral2/memory/1428-24-0x00000000021B0000-0x00000000031E0000-memory.dmp upx behavioral2/memory/1428-27-0x00000000021B0000-0x00000000031E0000-memory.dmp upx behavioral2/memory/1428-49-0x00000000021B0000-0x00000000031E0000-memory.dmp upx behavioral2/memory/1428-51-0x00000000021B0000-0x00000000031E0000-memory.dmp upx behavioral2/memory/2068-80-0x0000000002E40000-0x0000000003E70000-memory.dmp upx behavioral2/memory/2068-77-0x0000000002E40000-0x0000000003E70000-memory.dmp upx behavioral2/memory/2068-86-0x0000000002E40000-0x0000000003E70000-memory.dmp upx behavioral2/memory/2068-88-0x0000000002E40000-0x0000000003E70000-memory.dmp upx behavioral2/memory/2068-89-0x0000000002E40000-0x0000000003E70000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YFreeze.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1428 server.exe 1428 server.exe 1428 server.exe 1428 server.exe 1428 server.exe 1428 server.exe 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe Token: SeDebugPrivilege 1428 server.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3128 YFreeze.exe 3128 YFreeze.exe 3128 YFreeze.exe 3128 YFreeze.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2068 wrote to memory of 3128 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 83 PID 2068 wrote to memory of 3128 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 83 PID 2068 wrote to memory of 3128 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 83 PID 2068 wrote to memory of 1428 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 84 PID 2068 wrote to memory of 1428 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 84 PID 2068 wrote to memory of 1428 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 84 PID 1428 wrote to memory of 780 1428 server.exe 8 PID 1428 wrote to memory of 784 1428 server.exe 9 PID 1428 wrote to memory of 336 1428 server.exe 13 PID 1428 wrote to memory of 2948 1428 server.exe 49 PID 1428 wrote to memory of 2988 1428 server.exe 51 PID 1428 wrote to memory of 3108 1428 server.exe 54 PID 1428 wrote to memory of 3520 1428 server.exe 56 PID 1428 wrote to memory of 3636 1428 server.exe 57 PID 1428 wrote to memory of 3828 1428 server.exe 58 PID 1428 wrote to memory of 3916 1428 server.exe 59 PID 1428 wrote to memory of 3988 1428 server.exe 60 PID 1428 wrote to memory of 4068 1428 server.exe 61 PID 1428 wrote to memory of 4168 1428 server.exe 62 PID 1428 wrote to memory of 1220 1428 server.exe 75 PID 1428 wrote to memory of 3508 1428 server.exe 76 PID 1428 wrote to memory of 4300 1428 server.exe 81 PID 1428 wrote to memory of 2068 1428 server.exe 82 PID 1428 wrote to memory of 2068 1428 server.exe 82 PID 1428 wrote to memory of 3128 1428 server.exe 83 PID 1428 wrote to memory of 3128 1428 server.exe 83 PID 1428 wrote to memory of 3520 1428 server.exe 56 PID 1428 wrote to memory of 3520 1428 server.exe 56 PID 1428 wrote to memory of 3520 1428 server.exe 56 PID 1428 wrote to memory of 3520 1428 server.exe 56 PID 2068 wrote to memory of 780 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 8 PID 2068 wrote to memory of 784 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 9 PID 2068 wrote to memory of 336 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 13 PID 2068 wrote to memory of 2948 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 49 PID 2068 wrote to memory of 2988 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 51 PID 2068 wrote to memory of 3108 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 54 PID 2068 wrote to memory of 3520 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 56 PID 2068 wrote to memory of 3636 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 57 PID 2068 wrote to memory of 3828 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 58 PID 2068 wrote to memory of 3916 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 59 PID 2068 wrote to memory of 3988 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 60 PID 2068 wrote to memory of 4068 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 61 PID 2068 wrote to memory of 4168 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 62 PID 2068 wrote to memory of 1220 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 75 PID 2068 wrote to memory of 3508 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 76 PID 2068 wrote to memory of 780 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 8 PID 2068 wrote to memory of 784 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 9 PID 2068 wrote to memory of 336 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 13 PID 2068 wrote to memory of 2948 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 49 PID 2068 wrote to memory of 2988 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 51 PID 2068 wrote to memory of 3108 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 54 PID 2068 wrote to memory of 3520 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 56 PID 2068 wrote to memory of 3636 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 57 PID 2068 wrote to memory of 3828 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 58 PID 2068 wrote to memory of 3916 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 59 PID 2068 wrote to memory of 3988 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 60 PID 2068 wrote to memory of 4068 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 61 PID 2068 wrote to memory of 4168 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 62 PID 2068 wrote to memory of 1220 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 75 PID 2068 wrote to memory of 3508 2068 f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2988
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f42b5ff4ab691b9af3c72cdfda43d419_JaffaCakes118.exe"2⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\YFreeze.exe"C:\Users\Admin\AppData\Local\Temp\YFreeze.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3988
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4168
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1220
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3508
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4300
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5da0361b3cadca209285e1e99c920dd61
SHA16b8bbb2818df760ec7c744976aac1c2d4809dabf
SHA256cc46750c3cbca3c122bcd04e4dafae885beb5f979c466f6ce7f5cbd7e501d282
SHA5122bb42b963c1feef6364b88083713044ecd2d832d8c0c2e69740e93ed0d6aecb48229fe390472f9f266d20e805e4fb94e23df08c40eb672ec20064768d2a72d2a
-
Filesize
107KB
MD56353c2c7a90a00e3bb1aee4719eec09e
SHA1baba6f6034b69a1576f016444da489056ce7c33e
SHA2561e31408a32de96dcac28b2b68d5909ffb112b190eafc7cdc2da044c8d31d6f13
SHA512c9c9d4f2ac3391310ad1ff7855b0c40606a28a84eb49cb1ec8c000ba56dd20ffcac8d05e11d6901313af3fad17f06dba1d36fb946dda9a192aae20c26ae962a0
-
Filesize
258B
MD5aecb6414761ca1622255fb5a1246567a
SHA1e2ffcf30c99e113468adc0b0920ec3fb34e964f9
SHA25633a568e264bbccff679fc73756a56c837c094d50725c85d347687977eecf6149
SHA51277fcfb0912f6402ded94b21ffe29f2dd3b27a1093192783efc8899d15de51bcc6095c667a369b736868a20cb99d64c362f7a6dbc9cda829f7519cfe670a51714