Analysis
-
max time kernel
15s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 22:28
Behavioral task
behavioral1
Sample
fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe
-
Size
685KB
-
MD5
fd5e564367386b0e2410483a61cfe5da
-
SHA1
5196bf3184a7fcfed3fed3d77ee55757121b57c2
-
SHA256
54810025f723ec977e5009ff1e506e75447f8b0c5649326a94d891d2a3f507d2
-
SHA512
742d26a15c576e5821a3b9e3728691b0dc66b450226a8ed6df9f6eccff5b6badacd53511796cb9aebf2644465fe20ef5eed72ff72bc51e592493890467111c9f
-
SSDEEP
12288:NM5DSN6aAH0XNgZ63Xcry47gGpWa7U8oico9hJMBex+gQL05:NM5D18N+6ncPEGZNVlxnF5
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" lsass.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" lsass.exe -
Deletes itself 1 IoCs
pid Process 2904 lsass.exe -
Executes dropped EXE 1 IoCs
pid Process 2904 lsass.exe -
Loads dropped DLL 1 IoCs
pid Process 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc lsass.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\run32 = "C:\\Win\\lsass.exe" lsass.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Enumerates connected drives 3 TTPs 55 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\n: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\g: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\h: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\i: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\b: lsass.exe File opened (read-only) \??\k: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\h: lsass.exe File opened (read-only) \??\x: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\o: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\l: lsass.exe File opened (read-only) \??\p: lsass.exe File opened (read-only) \??\a: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\m: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\w: lsass.exe File opened (read-only) \??\k: lsass.exe File opened (read-only) \??\m: lsass.exe File opened (read-only) \??\r: lsass.exe File opened (read-only) \??\s: lsass.exe File opened (read-only) \??\z: lsass.exe File opened (read-only) \??\b: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\x: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\a: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\j: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\u: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\o: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\s: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\n: lsass.exe File opened (read-only) \??\q: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\e: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\w: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\i: lsass.exe File opened (read-only) \??\z: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\v: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\r: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\y: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\p: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\j: lsass.exe File opened (read-only) \??\t: lsass.exe File opened (read-only) \??\l: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\g: lsass.exe File opened (read-only) \??\u: lsass.exe File opened (read-only) \??\y: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\t: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\v: fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe File opened (read-only) \??\e: lsass.exe -
resource yara_rule behavioral1/memory/2128-0-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/2128-4-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-7-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-8-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-5-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-10-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-11-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-9-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-6-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-3-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-32-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2128-33-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/files/0x000700000001659b-40.dat upx behavioral1/memory/2128-58-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/2904-73-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2904-72-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2904-70-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2904-69-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2904-68-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2904-67-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2904-66-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/files/0x0007000000016645-63.dat upx behavioral1/memory/2904-60-0x0000000001FE0000-0x000000000306E000-memory.dmp upx behavioral1/memory/2128-59-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2904-56-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/2128-35-0x0000000001E80000-0x0000000002F0E000-memory.dmp upx behavioral1/memory/2904-118-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 37 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000002359e72a10204c6f63616c00380008000400efbe2359ac292359e72a2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = a20031000000000092599ab317204644354535367e3100008a0008000400efbe92599ab392599ab32a00000010620100000008000000000000000000000000000000660064003500650035003600340033003600370033003800360062003000650032003400310030003400380033006100360031006300660065003500640061005f004a006100660066006100430061006b0065007300310031003800000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000092599ab3102054656d700000360008000400efbe2359ac2992599ab32a00000001020000000002000000000000000000000000000000540065006d007000000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000002359ac29122041707044617461003c0008000400efbe2359ac292359ac292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000002359ac291100557365727300600008000400efbeee3a851a2359ac292a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000002359a52d100041646d696e00380008000400efbe2359ac292359a52d2a00000030000000000004000000000000000000000000000000410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 2904 lsass.exe 2904 lsass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2904 lsass.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe Token: SeDebugPrivilege 2904 lsass.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1116 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 19 PID 2128 wrote to memory of 1168 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 20 PID 2128 wrote to memory of 1204 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 21 PID 2128 wrote to memory of 1528 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 25 PID 2128 wrote to memory of 2760 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2760 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2760 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2760 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 30 PID 2128 wrote to memory of 2904 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 32 PID 2128 wrote to memory of 2904 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 32 PID 2128 wrote to memory of 2904 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 32 PID 2128 wrote to memory of 2904 2128 fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe 32 PID 2904 wrote to memory of 1116 2904 lsass.exe 19 PID 2904 wrote to memory of 1168 2904 lsass.exe 20 PID 2904 wrote to memory of 1204 2904 lsass.exe 21 PID 2904 wrote to memory of 1528 2904 lsass.exe 25 PID 2904 wrote to memory of 2128 2904 lsass.exe 29 PID 2904 wrote to memory of 2740 2904 lsass.exe 31 PID 2904 wrote to memory of 1116 2904 lsass.exe 19 PID 2904 wrote to memory of 1168 2904 lsass.exe 20 PID 2904 wrote to memory of 1204 2904 lsass.exe 21 PID 2904 wrote to memory of 1528 2904 lsass.exe 25 PID 2904 wrote to memory of 2740 2904 lsass.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd5e564367386b0e2410483a61cfe5da_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\fd5e564367386b0e2410483a61cfe5da_JaffaCakes1183⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
\??\c:\Win\lsass.exec:\Win\lsass.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1528
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
606KB
MD546ba5ce494d8b7b94ec7af81cc0f4d04
SHA1c139c377844f8c75d47134cbf5b7c4c390fa65a4
SHA256f385776f9563f839cce8d163923545e5393d76944b3c6f3ccf2ea49f51d09123
SHA5123026c0a8a004684e9b2be5ea82f0c32c2a03b6e9c7d04a4f8fbc68421b4ff993a4f309fc811a5cf2594c5083d4def56f6501b762f0cdff578c4c69c01672468c
-
Filesize
685KB
MD5fd5e564367386b0e2410483a61cfe5da
SHA15196bf3184a7fcfed3fed3d77ee55757121b57c2
SHA25654810025f723ec977e5009ff1e506e75447f8b0c5649326a94d891d2a3f507d2
SHA512742d26a15c576e5821a3b9e3728691b0dc66b450226a8ed6df9f6eccff5b6badacd53511796cb9aebf2644465fe20ef5eed72ff72bc51e592493890467111c9f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
257B
MD5238a9bc61260567370be5cbff6da0d3b
SHA19a9f906b60c38b384dd225cdde7c2c8b399e3b5c
SHA256a1e9e2f289c76518fd00b0c22eedecf7a77faf872d47e9c10ec530f3515875dd
SHA5124d48d1c5cd0bb88d87e8c52198fba1d3ccdfa3d69112e604744622a14722bae6316230a998dc0b5a11b6cf345181265e530c7f8e40173d19d546f0a270b616bf
-
Filesize
100KB
MD51445ec9cac729312c5ea683045e34a6d
SHA1dfbe65419df9ed7c0df2e0a22466b77c4df8a01e
SHA256185f2d6964030d84f6f59de72d1a444150cfad5eb22d61cf9c22cf7d4efb79e2
SHA5127fb2cbd06b7671cc49b6f4751707aa69eecf4f01a95159d0e9f798f7ebecba711bc4fb7696cbe49ff0e0df21b32dd957918d60204035921865ce993e6dc8d1fc