Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-01-2025 06:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe
-
Size
298KB
-
MD5
335c2a851afb774d2f791c81971642d9
-
SHA1
03edc99622d42a7d835cca12dca68776a8eeb8c5
-
SHA256
7c35c1edabc4cf394ae493e9f7bb2f0ad896c0d031b540b633dcb7239498f4cd
-
SHA512
f31c425f6db6d0e8e23a9bf8ce5c7d6b9b84f14832962818e5cd451c35a4c39a05c9132732ee716a690b7c4df74f4717628e4df7fe227853d326ee0000c48c15
-
SSDEEP
6144:FRgym92YGB+40mPLGPAU7rr8pf39ZqIyM/8tv60seaqBRqNGsJEZ:X6fu+40mPIrrc3twvnBamqQ4W
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Executes dropped EXE 1 IoCs
pid Process 2696 winvnc.exe -
Loads dropped DLL 5 IoCs
pid Process 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2696 winvnc.exe 2696 winvnc.exe 2696 winvnc.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\R: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\V: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\J: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\N: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\O: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\I: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\M: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\S: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\U: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\W: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\E: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\G: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\H: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\Q: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\X: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\Y: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\Z: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\K: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\L: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened (read-only) \??\P: JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened for modification F:\autorun.inf JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
resource yara_rule behavioral1/memory/2456-2-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-41-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-44-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-39-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-38-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-35-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-40-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-36-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-37-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-42-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-78-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-79-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-80-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-81-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-82-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-84-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-85-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-87-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-97-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-99-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-101-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-102-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-105-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-107-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-111-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-115-0x00000000022D0000-0x000000000338A000-memory.dmp upx behavioral1/memory/2456-117-0x00000000022D0000-0x000000000338A000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened for modification C:\Program Files\7-Zip\7z.exe JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe File created C:\Windows\f76d24d JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winvnc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe Token: SeDebugPrivilege 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 2696 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 31 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 PID 2456 wrote to memory of 1108 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 19 PID 2456 wrote to memory of 1172 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 20 PID 2456 wrote to memory of 1212 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 21 PID 2456 wrote to memory of 792 2456 JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_335c2a851afb774d2f791c81971642d9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\7zSD22D.tmp\winvnc.exe.\winvnc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:792
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD551d2d74d1f154ee07ed088f2540bfae5
SHA1af10265e6f877048246b11ebfebcb9f32f1e7ed7
SHA25654f56f3527b8faf17a20fa75cc749f828377192beede1465daf5b5120922051f
SHA51205d516150a023bfc7b877d09864219454739b87586971ec0b85e0fae9a1e013a702b5d10f0d86cddab244362ac79eaecbd3351a4839a0099d01b5f9756ed3e81
-
Filesize
1KB
MD593f636c3397ca48faf5fcac334c6d528
SHA10ed2b1511139a649b11d8d9217f7b6eb930018df
SHA25630544004aa76c16bd88e4674c0826a1beb37c5baccfb4a8b2aa7f6e7400296e6
SHA512b607157522721a9f94d896457d4fc00c313e35e210d3f3d61caa42f508f419d76bfc3c050fa0ea94597e37bc9ccf6c7ed38cb0b10ad801ae4fb6d378fc91c47c
-
Filesize
3KB
MD513ac6267ff929f9735ab71a5f4d51d83
SHA125318f84512d35a3efcc1c95281fc81f4af13a1d
SHA2568118e0ecd7fd7912bd8bcc3a9ec2e81628a05a621afa28e5ee285e2f82b38f59
SHA512e5e08df0355d7cf0b9b29e94def9e28c6dfaf4c94ae15ed99a1ed0b97dfbb26551465fb1eebcc6b76e4e016530f1e88919daf6b8ec180f41cc87a2551d5e6fc5
-
Filesize
35KB
MD504e5513a3bfa62f6076e28241f17f9d2
SHA1151b9d1b711a31c2446d364b900bef69b5810e28
SHA2566285f1e7a7ca04479737c25dafd987d8a5c9d8b4ed29c0cb3d51603055453de0
SHA512c1fe19764a91991bf4af3a60ffa529f45628f9404e4467de5d0353bc2b01ae858a3973743f3ae4e385791146a27c80f3e6622deff1b6c89ad1310c8e6fa01c10
-
Filesize
236KB
MD577de6bb7c680776fa67a5646072b7fed
SHA17f3c35d85c96ff903844feaf1aed010a34119c40
SHA25650831333c6ba49fc871ca20f4a4778119e24fb975912023fd4c8bfd72b45c191
SHA512c7e84578ac2ad87c4595496e695f66245910a446aaa54cc2540feed18a0cc6933d88570aa0280749e5ae8374f6643d20e98ca57f6ad437cc3dc6acf916a4bd5a
-
Filesize
97KB
MD5c549cf9ddeebbd0230186aef808e7eb1
SHA1090f06eb823b4a6e81b5d55b4ca1a2ff6041e4eb
SHA2566be0a5860cc8c7c46613062bdb02f2fd9af0c7b086b17de58f723e378f5f9b0b
SHA5129729bda11b13910de57dd06cd3724ea77f357111c107bdba338d1fd73a93fb65dbd2f2ac3575caa3f2252f6008e74863c93c9a74d49ce6d0585baebd5f540120
