Analysis
-
max time kernel
49s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 11:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe
-
Size
369KB
-
MD5
f8e4401dff213d69435c8a4c95a5deea
-
SHA1
ac46f81e1385154221a02174c2a284eb858cf48b
-
SHA256
ceba6ad4b778705c6fc2a4a968b93c5da232a3c545cf0e62bacc624c7f674b5c
-
SHA512
6c815cd96e88749c1753187d3c433388e6086fb653f7b8c827e7d371426dba4b3667419651417589ebc9e72b40e85c9d58608ed65c1abe756c316ed83cfa7156
-
SSDEEP
6144:3v3+5MVSBtJ/M7Ikc3TFarEwxhJyyQaAt6REgdfSVzQtYMhNufkF8UWYXMrj2L:/0OSR01P47wdt9YMhaAXMryL
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cimooda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" cimooda.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" cimooda.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cimooda.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cimooda.exe -
Executes dropped EXE 1 IoCs
pid Process 1828 cimooda.exe -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.209.192.6 Destination IP 192.31.80.30 Destination IP 192.42.175.30 Destination IP 192.42.174.30 Destination IP 37.209.194.6 Destination IP 37.209.196.6 Destination IP 37.209.194.6 Destination IP 192.31.80.30 Destination IP 192.5.6.30 Destination IP 192.42.174.30 Destination IP 37.209.194.6 Destination IP 128.8.10.90 Destination IP 37.209.198.6 Destination IP 192.35.51.30 Destination IP 192.41.162.30 Destination IP 192.5.6.30 Destination IP 192.43.172.30 Destination IP 192.12.94.30 Destination IP 37.209.196.6 Destination IP 192.42.93.30 Destination IP 37.209.198.6 Destination IP 192.42.176.30 Destination IP 37.209.194.6 Destination IP 192.43.172.30 Destination IP 37.209.196.6 Destination IP 192.33.14.30 Destination IP 37.209.192.6 Destination IP 192.12.94.30 Destination IP 37.209.192.6 Destination IP 192.43.172.30 Destination IP 192.42.173.30 Destination IP 37.209.196.6 Destination IP 192.52.178.30 Destination IP 192.42.176.30 Destination IP 37.209.192.6 Destination IP 192.42.173.30 Destination IP 192.12.94.30 Destination IP 192.42.174.30 Destination IP 192.42.174.30 Destination IP 192.42.176.30 Destination IP 37.209.192.6 Destination IP 37.209.192.6 Destination IP 199.7.83.42 Destination IP 37.209.198.6 Destination IP 37.209.196.6 Destination IP 192.12.94.30 Destination IP 37.209.192.6 Destination IP 192.12.94.30 Destination IP 192.42.174.30 Destination IP 37.209.196.6 Destination IP 192.5.6.30 Destination IP 192.5.6.30 Destination IP 37.209.196.6 Destination IP 192.42.174.30 Destination IP 192.12.94.30 Destination IP 192.5.6.30 Destination IP 37.209.192.6 Destination IP 192.31.80.30 Destination IP 192.26.92.30 Destination IP 192.26.92.30 Destination IP 192.42.175.30 Destination IP 192.42.93.30 Destination IP 37.209.194.6 Destination IP 192.42.176.30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" cimooda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cimooda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" cimooda.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\soowy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dorou.exe" cimooda.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cimooda.exe -
Enumerates connected drives 3 TTPs 28 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\L: cimooda.exe File opened (read-only) \??\M: cimooda.exe File opened (read-only) \??\E: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\G: cimooda.exe File opened (read-only) \??\T: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\V: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\K: cimooda.exe File opened (read-only) \??\P: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\M: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\E: cimooda.exe File opened (read-only) \??\N: cimooda.exe File opened (read-only) \??\O: cimooda.exe File opened (read-only) \??\I: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\P: cimooda.exe File opened (read-only) \??\G: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\K: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\O: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\U: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\J: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\L: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\N: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\Q: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\S: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe File opened (read-only) \??\H: cimooda.exe File opened (read-only) \??\I: cimooda.exe File opened (read-only) \??\J: cimooda.exe File opened (read-only) \??\H: f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2380-4-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-7-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-6-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-5-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-3-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-8-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-27-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-28-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-26-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-30-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-29-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-31-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-32-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-33-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-35-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-36-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-37-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-39-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-40-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-50-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-51-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-54-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-56-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-59-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-60-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-61-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-62-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-64-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-66-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-68-0x0000000002210000-0x000000000329E000-memory.dmp upx behavioral1/memory/2380-113-0x0000000002210000-0x000000000329E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cimooda.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe 1828 cimooda.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 1828 cimooda.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe Token: SeDebugPrivilege 1828 cimooda.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1112 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 19 PID 2380 wrote to memory of 1164 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 20 PID 2380 wrote to memory of 1208 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 21 PID 2380 wrote to memory of 1276 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 23 PID 2380 wrote to memory of 1112 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 19 PID 2380 wrote to memory of 1164 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 20 PID 2380 wrote to memory of 1208 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 21 PID 2380 wrote to memory of 1276 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 23 PID 2380 wrote to memory of 1112 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 19 PID 2380 wrote to memory of 1164 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 20 PID 2380 wrote to memory of 1208 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 21 PID 2380 wrote to memory of 1276 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 23 PID 2380 wrote to memory of 1828 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 31 PID 2380 wrote to memory of 1828 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 31 PID 2380 wrote to memory of 1828 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 31 PID 2380 wrote to memory of 1828 2380 f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe 31 PID 1828 wrote to memory of 1112 1828 cimooda.exe 19 PID 1828 wrote to memory of 1164 1828 cimooda.exe 20 PID 1828 wrote to memory of 1208 1828 cimooda.exe 21 PID 1828 wrote to memory of 1276 1828 cimooda.exe 23 PID 1828 wrote to memory of 1112 1828 cimooda.exe 19 PID 1828 wrote to memory of 1164 1828 cimooda.exe 20 PID 1828 wrote to memory of 1208 1828 cimooda.exe 21 PID 1828 wrote to memory of 1276 1828 cimooda.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cimooda.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8e4401dff213d69435c8a4c95a5deea_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380 -
C:\Users\Admin\AppData\Roaming\Microsoft\cimooda.exeC:\Users\Admin\AppData\Roaming\Microsoft\cimooda.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1828
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
369KB
MD5f8e4401dff213d69435c8a4c95a5deea
SHA1ac46f81e1385154221a02174c2a284eb858cf48b
SHA256ceba6ad4b778705c6fc2a4a968b93c5da232a3c545cf0e62bacc624c7f674b5c
SHA5126c815cd96e88749c1753187d3c433388e6086fb653f7b8c827e7d371426dba4b3667419651417589ebc9e72b40e85c9d58608ed65c1abe756c316ed83cfa7156
-
Filesize
257B
MD50616ce58f1f4d7c194e26b995825c783
SHA1c5b6cda388752d010e7baf905c50592f0d1a04cc
SHA2568e94465a99c79499f40d0ac710a17959d4b2a9e0d6b75236cdd1ae971b7f95fb
SHA512f16d80029a9eeae543fa746b688238f20aa4a414c974a13a6d7c07edaaaddc723de195ba4fa14839d307597fe3a175053e7d1c683713d15d1467a41acc5cb59e
-
Filesize
100KB
MD54f427a51609c768f1ba3200b6fd28db1
SHA1b8e63e823f0bb4fa2a561e8df05729ef07e68e79
SHA2563f16ce46d62bff83381a2195f6b3121a9abeb9e10a33269ead349b660610ca47
SHA512d2b37bac1e978e829b0d657c073d37f683c8751ef603ebb89e9fc77b951ce79f170746ccd2cbc707179677032e3a63846417fe94bab61c8073b4311479d1983e