Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-01-2025 08:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe
-
Size
172KB
-
MD5
63db203857d3274284373b7b274eeaf0
-
SHA1
415a36621eb0f772a385b2698a1183df8d88342d
-
SHA256
1b0719fb85fe2ea6f9bdc5a8debdcc998209162ab3fb66ff73daaa3f3a839689
-
SHA512
344cf3c4fd5a72e51eec639f987ba07e557fd37e1aedea097b60ef821d132229b057e82c88c84e9567a1d609456109f97f6f58ace951fce237bc1ef2301e39ff
-
SSDEEP
3072:3xf026qbJ1y4GNq5jz+/YiMavc+UuOBbkfRODUHd1SFKlaMGJ:8qHGoq/TMXwgbaTdx8bJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
Executes dropped EXE 1 IoCs
pid Process 2736 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2024-10-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-42-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-19-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-17-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-18-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2736-62-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2024-20-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-21-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-16-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-15-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2024-14-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral1/memory/2736-111-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2736-665-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2native.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIBUtils.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe svchost.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\npvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\zip.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\jsdbgui.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dcpr.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 2736 WaterMark.exe 2736 WaterMark.exe 2736 WaterMark.exe 2736 WaterMark.exe 2736 WaterMark.exe 2736 WaterMark.exe 2736 WaterMark.exe 2736 WaterMark.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe Token: SeDebugPrivilege 2736 WaterMark.exe Token: SeDebugPrivilege 2632 svchost.exe Token: SeDebugPrivilege 2736 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 2736 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1120 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 19 PID 2024 wrote to memory of 1168 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 20 PID 2024 wrote to memory of 1212 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 21 PID 2024 wrote to memory of 1540 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 23 PID 2024 wrote to memory of 2736 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 31 PID 2024 wrote to memory of 2736 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 31 PID 2024 wrote to memory of 2736 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 31 PID 2024 wrote to memory of 2736 2024 JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe 31 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2576 2736 WaterMark.exe 32 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2736 wrote to memory of 2632 2736 WaterMark.exe 33 PID 2632 wrote to memory of 256 2632 svchost.exe 1 PID 2632 wrote to memory of 256 2632 svchost.exe 1 PID 2632 wrote to memory of 256 2632 svchost.exe 1 PID 2632 wrote to memory of 256 2632 svchost.exe 1 PID 2632 wrote to memory of 256 2632 svchost.exe 1 PID 2632 wrote to memory of 332 2632 svchost.exe 2 PID 2632 wrote to memory of 332 2632 svchost.exe 2 PID 2632 wrote to memory of 332 2632 svchost.exe 2 PID 2632 wrote to memory of 332 2632 svchost.exe 2 PID 2632 wrote to memory of 332 2632 svchost.exe 2 PID 2632 wrote to memory of 380 2632 svchost.exe 3 PID 2632 wrote to memory of 380 2632 svchost.exe 3 PID 2632 wrote to memory of 380 2632 svchost.exe 3 PID 2632 wrote to memory of 380 2632 svchost.exe 3 PID 2632 wrote to memory of 380 2632 svchost.exe 3 PID 2632 wrote to memory of 388 2632 svchost.exe 4 PID 2632 wrote to memory of 388 2632 svchost.exe 4 PID 2632 wrote to memory of 388 2632 svchost.exe 4 PID 2632 wrote to memory of 388 2632 svchost.exe 4 PID 2632 wrote to memory of 388 2632 svchost.exe 4 PID 2632 wrote to memory of 428 2632 svchost.exe 5 PID 2632 wrote to memory of 428 2632 svchost.exe 5 PID 2632 wrote to memory of 428 2632 svchost.exe 5 PID 2632 wrote to memory of 428 2632 svchost.exe 5 PID 2632 wrote to memory of 428 2632 svchost.exe 5 PID 2632 wrote to memory of 472 2632 svchost.exe 6 PID 2632 wrote to memory of 472 2632 svchost.exe 6 PID 2632 wrote to memory of 472 2632 svchost.exe 6 PID 2632 wrote to memory of 472 2632 svchost.exe 6 PID 2632 wrote to memory of 472 2632 svchost.exe 6 PID 2632 wrote to memory of 488 2632 svchost.exe 7 PID 2632 wrote to memory of 488 2632 svchost.exe 7 PID 2632 wrote to memory of 488 2632 svchost.exe 7 PID 2632 wrote to memory of 488 2632 svchost.exe 7 PID 2632 wrote to memory of 488 2632 svchost.exe 7 PID 2632 wrote to memory of 496 2632 svchost.exe 8 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1540
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1816
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2740
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:824
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:284
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:344
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1080
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1120
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:804
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:788
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2252
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63db203857d3274284373b7b274eeaf0.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize358KB
MD53e8f6a7f369f3caea1a7c486f3a9d24e
SHA12bf3eb3f4d7d8f57caccefd815e11b2c527be3b9
SHA2564b02207a24de90fd2fa8f8b6ad74b1a8885348edc2ab835ec85bc0432eeb12f1
SHA512c06c346c6e3586116556ed78353977df50c9d75256e473b1f34148606dfae89b8083b0d2c1e8fc23de2e6a7591c4ae65e7bde22b7aad5a682aeb9cff71b15466
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize354KB
MD5714d05a62275ec8ae0683b171d8d05e8
SHA1c73dafd7f52e302957bbd1842570e7f5aa0d68e9
SHA2565071cfedbdffc43f19b75dec0d76b5cb338a97784ab9a5cfae6961ee18ca5a4a
SHA51220602a987968f404cd6b196a9c8289626c8137103b62f868a8b707b8842fcf7db8d7ea71f6f34dd2fa4bf4bc58c7ea991a66cc5fcb284939c0398ec14bfd781d
-
Filesize
172KB
MD563db203857d3274284373b7b274eeaf0
SHA1415a36621eb0f772a385b2698a1183df8d88342d
SHA2561b0719fb85fe2ea6f9bdc5a8debdcc998209162ab3fb66ff73daaa3f3a839689
SHA512344cf3c4fd5a72e51eec639f987ba07e557fd37e1aedea097b60ef821d132229b057e82c88c84e9567a1d609456109f97f6f58ace951fce237bc1ef2301e39ff