Overview
overview
10Static
static
3JaffaCakes...90.exe
windows7-x64
10JaffaCakes...90.exe
windows10-2004-x64
10$PLUGINSDI...ig.dll
windows7-x64
3$PLUGINSDI...ig.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...or.dll
windows7-x64
3$PLUGINSDI...or.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$_18_/Uninstall.exe
windows7-x64
10$_18_/Uninstall.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3Analysis
-
max time kernel
96s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 06:07
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/IpConfig.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/WmiInspector.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/WmiInspector.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral9
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral10
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral11
Sample
$_18_/Uninstall.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral12
Sample
$_18_/Uninstall.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral15
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral16
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe
-
Size
372KB
-
MD5
49ee1546d533b0564b3c87bdfd17a990
-
SHA1
7e9e08c563e557aaac7c3aebf95ecfede47e8b17
-
SHA256
69f06276091a66e62e3ea36ba440a1eb7fc4d9b2af39d66744914ebdde09789a
-
SHA512
debff45cfa3ed3db544df34dc9fff0b45b340a0d28dd822e2ab6ed7f34b00d1c92e7817b8fab5212820a33300b7d282c5a2ac6acb59d43d727c6fade810b19ba
-
SSDEEP
6144:5e34DT2SJO4FM0rHL8Fh1tcVNwib8skL75+ZPPfnE2Qyn2FEtt2NB6+s1rqy:TT2SM2L8QktPLF+ZPPfnEUnsEWfXs1rR
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Loads dropped DLL 51 IoCs
pid Process 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
resource yara_rule behavioral2/memory/2104-3-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-1-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-6-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-7-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-10-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-11-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-13-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-22-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-5-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-4-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-44-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-52-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-136-0x00000000024F0000-0x000000000357E000-memory.dmp upx behavioral2/memory/2104-195-0x00000000024F0000-0x000000000357E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe Token: SeDebugPrivilege 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2104 wrote to memory of 780 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 8 PID 2104 wrote to memory of 784 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 9 PID 2104 wrote to memory of 336 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 13 PID 2104 wrote to memory of 2688 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 47 PID 2104 wrote to memory of 2880 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 50 PID 2104 wrote to memory of 3040 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 51 PID 2104 wrote to memory of 3356 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 55 PID 2104 wrote to memory of 3568 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 57 PID 2104 wrote to memory of 3776 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 58 PID 2104 wrote to memory of 3872 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 59 PID 2104 wrote to memory of 3936 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 60 PID 2104 wrote to memory of 4024 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 61 PID 2104 wrote to memory of 3696 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 62 PID 2104 wrote to memory of 2828 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 74 PID 2104 wrote to memory of 4576 2104 JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe 76 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2880
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3040
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49ee1546d533b0564b3c87bdfd17a990.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4576
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5a3ed6f7ea493b9644125d494fbf9a1e6
SHA1ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8
SHA256ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08
SHA5127099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
104KB
MD58531346d16fa5d4768f6530d2eb2b65c
SHA1153601d36aa0ddfbc597b1e890917364878791ca
SHA256a9347413de4b0f90cac0b5e300cec9c867bdb28bd7a60d07b10fd31ee56c60cb
SHA512f214e75de20edeb7eece02659fd7dafc8c3d63c2350c58825bc6e9ce0b73237962d8273b4bc803a2f304cee9f9cad1cd4edab28322c1e678bc25eb88faa6a841
-
Filesize
20KB
MD5f02155fa3e59a8fc48a74a236b2bb42e
SHA16d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA5128be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399