Analysis
-
max time kernel
122s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 11:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
General
-
Target
ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe
-
Size
100KB
-
MD5
ffac08852e9d0b1fe8e5fd2f76c50351
-
SHA1
5a89197909e84594b72c7ca7c61e0ef588f69933
-
SHA256
045b0c2743c21023ab31845011b4c6346bffd6583c72d0e16de3ff2c20d09717
-
SHA512
ebf076f51cafc025a8523fc4d5a3e7aed3c696d973e5b59f98834bd437d04b4371f97fa8ea17ae39d81d3130c234ce4c02c50238360083e2126a3f8754e187c9
-
SSDEEP
3072:SYeQazY2Rdou7C6pi9wEmwC6EQ/L2vYXEx0O1cPhC:Sk2zou7C6piiwC6EBME71cP
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\J: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\T: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\W: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\Y: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\E: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\G: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\H: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\K: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\M: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\Q: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\Z: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\L: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\P: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\R: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\U: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\V: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\X: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\N: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\O: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened (read-only) \??\S: ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened for modification F:\autorun.inf ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2720-1-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-3-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-24-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-22-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-7-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-6-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-5-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-4-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-23-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-28-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-29-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-30-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-32-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-31-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-49-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-51-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-52-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-55-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-56-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-58-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-60-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-61-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-64-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-65-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx behavioral1/memory/2720-66-0x0000000001D40000-0x0000000002DCE000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe Token: SeDebugPrivilege 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 PID 2720 wrote to memory of 1120 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 19 PID 2720 wrote to memory of 1172 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 20 PID 2720 wrote to memory of 1220 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 21 PID 2720 wrote to memory of 1200 2720 ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffac08852e9d0b1fe8e5fd2f76c50351_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD59f9c42af7baf22e41359454e893f88be
SHA1eae31970fb00635dc1af63bdb579cefa5b3228c0
SHA2569a0e112a8589943bece7116e4bbf7e1176a01a032fde08a546315a7cbade3d85
SHA512a89e3a75f2270c42d0ae4c566ab29f21534b8d6146d6a9de7608eca8bd664c94045a1cd3f8bd0090ce4f02aac94b7e9505d7002d47155c8977ed93807968318a