Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe
-
Size
100KB
-
MD5
ff1b67d1d50cc56b663de39f3f454d65
-
SHA1
ce827ac7d8658467abcc79483dc39f83b455c671
-
SHA256
c9c5fbb57e38b4f653976b7749052797525ed3ed99cd06f243d69b6ce66ab4f1
-
SHA512
ea9fcfed8ac3746753978f0ad48f53d41e29e0f9a240c62e04fe729d3580f4144f4fbf8c08adefc72fda9f9b64ab24a42efc00395f7e3cea37728de17798bb7f
-
SSDEEP
1536:OsW6F3sa40IUzBNCAhJuPZKdrzzcEOWzFhWrrqZwdzmmKWrHH/fs286N8D6Wot5e:OK2zATnJuMdL1xznkGg+A/dWClY
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\I: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\P: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\V: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\W: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\G: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\K: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\L: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\O: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\Q: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\T: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\U: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\Z: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\H: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\Y: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\J: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\M: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\N: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\R: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\S: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened (read-only) \??\X: ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification F:\autorun.inf ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/540-1-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-3-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-4-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-8-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-5-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-10-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-13-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-14-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-12-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-15-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-16-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-17-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-18-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-19-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-21-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-22-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-24-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-25-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-27-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-29-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-30-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-33-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-37-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-39-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-40-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-41-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-44-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-46-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-53-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-55-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-57-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-59-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-60-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-64-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-65-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/540-67-0x00000000021C0000-0x000000000324E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe Token: SeDebugPrivilege 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 792 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 9 PID 540 wrote to memory of 800 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 10 PID 540 wrote to memory of 420 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 13 PID 540 wrote to memory of 2596 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 44 PID 540 wrote to memory of 2644 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 45 PID 540 wrote to memory of 2808 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 48 PID 540 wrote to memory of 3520 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 56 PID 540 wrote to memory of 3648 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 57 PID 540 wrote to memory of 3824 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 58 PID 540 wrote to memory of 3916 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 59 PID 540 wrote to memory of 3992 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 60 PID 540 wrote to memory of 4072 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 61 PID 540 wrote to memory of 3576 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 62 PID 540 wrote to memory of 396 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 64 PID 540 wrote to memory of 672 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 76 PID 540 wrote to memory of 1988 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 81 PID 540 wrote to memory of 792 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 9 PID 540 wrote to memory of 800 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 10 PID 540 wrote to memory of 420 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 13 PID 540 wrote to memory of 2596 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 44 PID 540 wrote to memory of 2644 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 45 PID 540 wrote to memory of 2808 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 48 PID 540 wrote to memory of 3520 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 56 PID 540 wrote to memory of 3648 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 57 PID 540 wrote to memory of 3824 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 58 PID 540 wrote to memory of 3916 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 59 PID 540 wrote to memory of 3992 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 60 PID 540 wrote to memory of 4072 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 61 PID 540 wrote to memory of 3576 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 62 PID 540 wrote to memory of 396 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 64 PID 540 wrote to memory of 672 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 76 PID 540 wrote to memory of 1988 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 81 PID 540 wrote to memory of 792 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 9 PID 540 wrote to memory of 800 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 10 PID 540 wrote to memory of 420 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 13 PID 540 wrote to memory of 2596 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 44 PID 540 wrote to memory of 2644 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 45 PID 540 wrote to memory of 2808 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 48 PID 540 wrote to memory of 3520 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 56 PID 540 wrote to memory of 3648 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 57 PID 540 wrote to memory of 3824 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 58 PID 540 wrote to memory of 3916 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 59 PID 540 wrote to memory of 3992 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 60 PID 540 wrote to memory of 4072 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 61 PID 540 wrote to memory of 3576 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 62 PID 540 wrote to memory of 396 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 64 PID 540 wrote to memory of 672 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 76 PID 540 wrote to memory of 792 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 9 PID 540 wrote to memory of 800 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 10 PID 540 wrote to memory of 420 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 13 PID 540 wrote to memory of 2596 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 44 PID 540 wrote to memory of 2644 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 45 PID 540 wrote to memory of 2808 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 48 PID 540 wrote to memory of 3520 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 56 PID 540 wrote to memory of 3648 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 57 PID 540 wrote to memory of 3824 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 58 PID 540 wrote to memory of 3916 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 59 PID 540 wrote to memory of 3992 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 60 PID 540 wrote to memory of 4072 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 61 PID 540 wrote to memory of 3576 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 62 PID 540 wrote to memory of 396 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 64 PID 540 wrote to memory of 672 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 76 PID 540 wrote to memory of 792 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 9 PID 540 wrote to memory of 800 540 ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe 10 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:420
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2644
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2808
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ff1b67d1d50cc56b663de39f3f454d65_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:540
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3648
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3992
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:396
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1988
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request4.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request182.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
4.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
182.129.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5873e81ff8f8425ec60faaba1d946c575
SHA1375b16f2e04ca4718da4c8950a1528ba9f48cb08
SHA2565e9d57fa2f21989339dbb105aa7543867f64c87a9231c35f6c6ca9e4ad3be537
SHA51278b950f66fbb74007f4725b932300bbe989e96660e67e383673c51e98d0cfa230659bc041bf2b24eca276c26546bce9e91e4874409b283e1df925763300172af