Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe
-
Size
100KB
-
MD5
f5007bac9500e52936d2ad2fca56c365
-
SHA1
19218b75610e140f20baabd669b9f73d108fa2b2
-
SHA256
da668d7f0ebc247a71c61e987b5c8c537b196bb9df41770191e52a7c6a545900
-
SHA512
08c827296fa781c63b59980eb7ea55396e92b16518c2bf8fb874ad711cca6646f4066d920d539f88f3a4411868ed12abd092eedfd13237ebae779ca5e3cb2c1f
-
SSDEEP
3072:9znnfxuRLxcir1AwSkSEP7K948cXJ0vbj1hGNa:9zfGLxnr1rYEDK948cXuWN
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\V: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\W: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\X: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\Y: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\G: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\K: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\N: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\Q: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\E: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\M: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\P: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\R: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\T: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\U: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\Z: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\H: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\J: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\L: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\O: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened (read-only) \??\S: f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification F:\autorun.inf f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3596-3-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-1-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-8-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-5-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-4-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-7-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-13-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-11-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-15-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-6-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-16-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-17-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-18-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-19-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-20-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-22-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-23-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-24-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-27-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-29-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-30-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-31-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-33-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-36-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-37-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-40-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-41-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-49-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-50-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-53-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-54-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-55-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-57-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-59-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-61-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-62-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-64-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-66-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3596-67-0x00000000022F0000-0x000000000337E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe Token: SeDebugPrivilege 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3596 wrote to memory of 784 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 8 PID 3596 wrote to memory of 788 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 9 PID 3596 wrote to memory of 380 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 13 PID 3596 wrote to memory of 2896 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 50 PID 3596 wrote to memory of 2948 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 51 PID 3596 wrote to memory of 3060 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 52 PID 3596 wrote to memory of 3500 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 56 PID 3596 wrote to memory of 3624 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 57 PID 3596 wrote to memory of 3832 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 58 PID 3596 wrote to memory of 3920 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 59 PID 3596 wrote to memory of 3984 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 60 PID 3596 wrote to memory of 4088 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 61 PID 3596 wrote to memory of 3864 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 62 PID 3596 wrote to memory of 1704 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 64 PID 3596 wrote to memory of 1768 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 75 PID 3596 wrote to memory of 784 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 8 PID 3596 wrote to memory of 788 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 9 PID 3596 wrote to memory of 380 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 13 PID 3596 wrote to memory of 2896 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 50 PID 3596 wrote to memory of 2948 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 51 PID 3596 wrote to memory of 3060 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 52 PID 3596 wrote to memory of 3500 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 56 PID 3596 wrote to memory of 3624 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 57 PID 3596 wrote to memory of 3832 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 58 PID 3596 wrote to memory of 3920 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 59 PID 3596 wrote to memory of 3984 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 60 PID 3596 wrote to memory of 4088 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 61 PID 3596 wrote to memory of 3864 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 62 PID 3596 wrote to memory of 1704 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 64 PID 3596 wrote to memory of 1768 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 75 PID 3596 wrote to memory of 784 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 8 PID 3596 wrote to memory of 788 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 9 PID 3596 wrote to memory of 380 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 13 PID 3596 wrote to memory of 2896 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 50 PID 3596 wrote to memory of 2948 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 51 PID 3596 wrote to memory of 3060 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 52 PID 3596 wrote to memory of 3500 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 56 PID 3596 wrote to memory of 3624 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 57 PID 3596 wrote to memory of 3832 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 58 PID 3596 wrote to memory of 3920 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 59 PID 3596 wrote to memory of 3984 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 60 PID 3596 wrote to memory of 4088 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 61 PID 3596 wrote to memory of 3864 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 62 PID 3596 wrote to memory of 1704 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 64 PID 3596 wrote to memory of 1768 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 75 PID 3596 wrote to memory of 784 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 8 PID 3596 wrote to memory of 788 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 9 PID 3596 wrote to memory of 380 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 13 PID 3596 wrote to memory of 2896 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 50 PID 3596 wrote to memory of 2948 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 51 PID 3596 wrote to memory of 3060 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 52 PID 3596 wrote to memory of 3500 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 56 PID 3596 wrote to memory of 3624 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 57 PID 3596 wrote to memory of 3832 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 58 PID 3596 wrote to memory of 3920 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 59 PID 3596 wrote to memory of 3984 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 60 PID 3596 wrote to memory of 4088 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 61 PID 3596 wrote to memory of 3864 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 62 PID 3596 wrote to memory of 1704 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 64 PID 3596 wrote to memory of 1768 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 75 PID 3596 wrote to memory of 784 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 8 PID 3596 wrote to memory of 788 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 9 PID 3596 wrote to memory of 380 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 13 PID 3596 wrote to memory of 2896 3596 f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe 50 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2948
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3060
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5007bac9500e52936d2ad2fca56c365_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3832
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1704
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1768
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5249f5b27042d4bd0560ee838a74d00b2
SHA1d228c923bf026d481e52918aa88007a6013152bb
SHA256ad13d2d03566cfbae87ad8928773d0bb3ceed096cea24ff90544934571cbcbf4
SHA512f60603ae905cf8cde45ee33329eafe085303e7a6c6ac07514d2dc759e5cd6036ed696e865e365b0c9b619bb1b8eb9d3c5cad2b66177247f3a254994af90d8508