Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe
-
Size
140KB
-
MD5
45c4c38b1c3b20a54138dc13191811d0
-
SHA1
4f8da3b5e018123a598e4bdbb3200757325732b9
-
SHA256
e716fb02bab4f27fa34a775dd3616902560250e2148c3d045dc473752e89e71b
-
SHA512
e04189798948bd87d8e5b1e9e213f7a20ea5c1672a6785c56523bc48ce4a806462005b4c9a3afe256f82b43c8e17a9c3690fd841e5693d2c8d7bd8bc9453a43f
-
SSDEEP
3072:IkoVocF1mzOAt1+tKevji3kQI6gyOmC9fueGPqq1j:dmB4ctKcix0PR0qqF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe:*:enabled:@shell32.dll,-1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\ETC\HOSTS JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
resource yara_rule behavioral2/memory/4900-1-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-5-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-9-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-10-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-21-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-17-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-19-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-15-0x0000000002440000-0x00000000034CE000-memory.dmp upx behavioral2/memory/4900-6-0x0000000002440000-0x00000000034CE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe Token: SeDebugPrivilege 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 612 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 5 PID 4900 wrote to memory of 612 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 5 PID 4900 wrote to memory of 612 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 5 PID 4900 wrote to memory of 612 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 5 PID 4900 wrote to memory of 612 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 5 PID 4900 wrote to memory of 612 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 5 PID 4900 wrote to memory of 684 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 7 PID 4900 wrote to memory of 684 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 7 PID 4900 wrote to memory of 684 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 7 PID 4900 wrote to memory of 684 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 7 PID 4900 wrote to memory of 684 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 7 PID 4900 wrote to memory of 684 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 7 PID 4900 wrote to memory of 788 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 8 PID 4900 wrote to memory of 788 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 8 PID 4900 wrote to memory of 788 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 8 PID 4900 wrote to memory of 788 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 8 PID 4900 wrote to memory of 788 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 8 PID 4900 wrote to memory of 788 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 8 PID 4900 wrote to memory of 796 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 9 PID 4900 wrote to memory of 796 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 9 PID 4900 wrote to memory of 796 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 9 PID 4900 wrote to memory of 796 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 9 PID 4900 wrote to memory of 796 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 9 PID 4900 wrote to memory of 796 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 9 PID 4900 wrote to memory of 804 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 10 PID 4900 wrote to memory of 804 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 10 PID 4900 wrote to memory of 804 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 10 PID 4900 wrote to memory of 804 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 10 PID 4900 wrote to memory of 804 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 10 PID 4900 wrote to memory of 804 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 10 PID 4900 wrote to memory of 912 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 11 PID 4900 wrote to memory of 912 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 11 PID 4900 wrote to memory of 912 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 11 PID 4900 wrote to memory of 912 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 11 PID 4900 wrote to memory of 912 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 11 PID 4900 wrote to memory of 912 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 11 PID 4900 wrote to memory of 960 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 12 PID 4900 wrote to memory of 960 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 12 PID 4900 wrote to memory of 960 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 12 PID 4900 wrote to memory of 960 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 12 PID 4900 wrote to memory of 960 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 12 PID 4900 wrote to memory of 960 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 12 PID 4900 wrote to memory of 316 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 13 PID 4900 wrote to memory of 316 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 13 PID 4900 wrote to memory of 316 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 13 PID 4900 wrote to memory of 316 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 13 PID 4900 wrote to memory of 316 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 13 PID 4900 wrote to memory of 316 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 13 PID 4900 wrote to memory of 412 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 14 PID 4900 wrote to memory of 412 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 14 PID 4900 wrote to memory of 412 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 14 PID 4900 wrote to memory of 412 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 14 PID 4900 wrote to memory of 412 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 14 PID 4900 wrote to memory of 412 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 14 PID 4900 wrote to memory of 1048 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 15 PID 4900 wrote to memory of 1048 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 15 PID 4900 wrote to memory of 1048 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 15 PID 4900 wrote to memory of 1048 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 15 PID 4900 wrote to memory of 1048 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 15 PID 4900 wrote to memory of 1048 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 15 PID 4900 wrote to memory of 1056 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 16 PID 4900 wrote to memory of 1056 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 16 PID 4900 wrote to memory of 1056 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 16 PID 4900 wrote to memory of 1056 4900 JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe 16 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:796
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:788
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2256
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3832
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3920
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3996
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4088
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3956
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:3980
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3220
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:3788
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4608
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:452
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:2012
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:400
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1048
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1192
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2940
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵PID:4424
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2036
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2780
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3456
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45c4c38b1c3b20a54138dc13191811d0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Drops file in Drivers directory
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4900
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2916
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:952
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5