Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 09:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe
-
Size
100KB
-
MD5
3e5a61ea49cac9e600e3da4cce62d3e3
-
SHA1
5397d2ca232525a6d02c1df3e2c87b6da2d07bed
-
SHA256
3e13473e0038dc30fe9aada02f7e5c6e2aa6f13479e23acfa30014beba396d3b
-
SHA512
c2828da028e8c1c27da1319b3f195e6406076dc1aeb35e11f1308f39266ac95c7861d25e6c9508481c2cc8253c50a88e86148eca0dc367beb3fafc6108ed41e7
-
SSDEEP
1536:kIGs23tZbHm7eB7117xlktodCAay3dQxKMu/G9SkCnRqj3v5y5WYtgo5sSVx+rzW:kIZ23tUGH7ItstQxKr8KMj/0Ptg7SEX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Disables Task Manager via registry modification
-
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\X: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\E: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\J: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\M: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\N: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\R: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\T: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\Z: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\I: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\K: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\L: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\O: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\S: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\H: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\G: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\P: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\Q: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\U: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\W: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened (read-only) \??\Y: JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification F:\autorun.inf JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
resource yara_rule behavioral2/memory/692-1-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-6-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-9-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-4-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-10-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-3-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-5-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-13-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-14-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-15-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-16-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-17-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-18-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-20-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-19-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-22-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-23-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-24-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-27-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-28-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-30-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-33-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-34-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-36-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-38-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-39-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-40-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-44-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-45-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-47-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-48-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-51-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-52-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-60-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-63-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-64-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-65-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/692-68-0x00000000022D0000-0x000000000335E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe Token: SeDebugPrivilege 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 692 wrote to memory of 800 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 9 PID 692 wrote to memory of 804 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 10 PID 692 wrote to memory of 316 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 13 PID 692 wrote to memory of 2832 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 49 PID 692 wrote to memory of 3004 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 50 PID 692 wrote to memory of 1964 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 52 PID 692 wrote to memory of 3444 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 56 PID 692 wrote to memory of 3568 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 57 PID 692 wrote to memory of 3756 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 58 PID 692 wrote to memory of 3840 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 59 PID 692 wrote to memory of 3940 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 60 PID 692 wrote to memory of 4028 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 61 PID 692 wrote to memory of 2296 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 62 PID 692 wrote to memory of 4436 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 74 PID 692 wrote to memory of 3608 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 76 PID 692 wrote to memory of 840 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 81 PID 692 wrote to memory of 800 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 9 PID 692 wrote to memory of 804 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 10 PID 692 wrote to memory of 316 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 13 PID 692 wrote to memory of 2832 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 49 PID 692 wrote to memory of 3004 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 50 PID 692 wrote to memory of 1964 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 52 PID 692 wrote to memory of 3444 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 56 PID 692 wrote to memory of 3568 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 57 PID 692 wrote to memory of 3756 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 58 PID 692 wrote to memory of 3840 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 59 PID 692 wrote to memory of 3940 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 60 PID 692 wrote to memory of 4028 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 61 PID 692 wrote to memory of 2296 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 62 PID 692 wrote to memory of 4436 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 74 PID 692 wrote to memory of 3608 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 76 PID 692 wrote to memory of 800 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 9 PID 692 wrote to memory of 804 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 10 PID 692 wrote to memory of 316 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 13 PID 692 wrote to memory of 2832 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 49 PID 692 wrote to memory of 3004 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 50 PID 692 wrote to memory of 1964 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 52 PID 692 wrote to memory of 3444 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 56 PID 692 wrote to memory of 3568 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 57 PID 692 wrote to memory of 3756 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 58 PID 692 wrote to memory of 3840 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 59 PID 692 wrote to memory of 3940 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 60 PID 692 wrote to memory of 4028 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 61 PID 692 wrote to memory of 2296 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 62 PID 692 wrote to memory of 4436 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 74 PID 692 wrote to memory of 3608 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 76 PID 692 wrote to memory of 800 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 9 PID 692 wrote to memory of 804 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 10 PID 692 wrote to memory of 316 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 13 PID 692 wrote to memory of 2832 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 49 PID 692 wrote to memory of 3004 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 50 PID 692 wrote to memory of 1964 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 52 PID 692 wrote to memory of 3444 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 56 PID 692 wrote to memory of 3568 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 57 PID 692 wrote to memory of 3756 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 58 PID 692 wrote to memory of 3840 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 59 PID 692 wrote to memory of 3940 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 60 PID 692 wrote to memory of 4028 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 61 PID 692 wrote to memory of 2296 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 62 PID 692 wrote to memory of 4436 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 74 PID 692 wrote to memory of 3608 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 76 PID 692 wrote to memory of 800 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 9 PID 692 wrote to memory of 804 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 10 PID 692 wrote to memory of 316 692 JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3004
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1964
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e5a61ea49cac9e600e3da4cce62d3e3.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:692
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3940
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2296
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3608
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:840
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD52d7b98a9e26483c2077407b7fd57cf7f
SHA18c7932b2b7865eacf5dcc065d07057f464c835ea
SHA256a9db845afa431efbd8e6e3bdebc25a1c31d593dfbadeb34f6594538db7a2ade8
SHA5123d7f1896b016f54f00ae59408676a2a973e1858d3ad55be67bbd750547b4efc198941af87730d01eece6d990dd38bddb1dc3ad61329908931c2a9812ec268230