Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 04:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe
Resource
win7-20241023-en
windows7-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe
-
Size
662KB
-
MD5
47587fe98c674a9f3ebc42cbdcb37f00
-
SHA1
7883342333110cc6c890341d10b9ae85a1a14fa0
-
SHA256
d7b9641921384103da2c76d60ec920dfaa95852301dfb0149effc8f0670529a6
-
SHA512
8191f0cb990b481ab84dc7f5d1078b5b4ebb2a46cb348d68fdbe242d7dd45a2f7815247d1d5d29446b2241f74f8961dd38c2417262c8d1fb8fd138709d0e3ba5
-
SSDEEP
6144:4TWkUUJ9izBIrXkOwNQ7jDWHztCOf4rjPZkPDmbUQLS1pogpdcgB6q/iNHRoK2wC:4TWRUDe4nvbzucgQNRoK24UY6zOF8R
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\L: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\N: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\O: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\P: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\X: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\Y: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\E: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\J: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\M: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\Q: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\S: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\T: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\I: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\R: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\U: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\W: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\G: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\K: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\V: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened (read-only) \??\Z: JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened for modification F:\autorun.inf JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
resource yara_rule behavioral1/memory/2988-4-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-8-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-3-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-5-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-6-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-10-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-11-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-9-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-7-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-13-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-12-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-32-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-34-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-33-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-36-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-37-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-38-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-42-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-44-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-45-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-46-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-57-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-61-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-60-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-63-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-64-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-65-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-69-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx behavioral1/memory/2988-70-0x0000000001E30000-0x0000000002EBE000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe Token: SeDebugPrivilege 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 PID 2988 wrote to memory of 1040 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 17 PID 2988 wrote to memory of 1064 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 18 PID 2988 wrote to memory of 1128 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 20 PID 2988 wrote to memory of 2004 2988 JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1040
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47587fe98c674a9f3ebc42cbdcb37f00.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2988
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2004
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD566b54041e9297f11eccbbe60b0bf5c2c
SHA1fd5523c6f9f798bcfecb7a83ee3d9c950a3ea5db
SHA256311f18575d999fb2e28e0d5dc058d8fdb09b56e790e23313e43d1ceecba1d8dd
SHA5122b6385c9bc29ba9535ddd333e7fe327aef12397b57284054d4780e49baccc6d02c1395ebbd6f2cb4d9b876fe4ecef45eed6cdb98e0c0dcc07aaaffb94164e068