Analysis
-
max time kernel
28s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 15:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
General
-
Target
JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe
-
Size
419KB
-
MD5
4127f1773178d0597c0a54b719689c86
-
SHA1
2a89d552abfeadd203df210bb1166f5e93663df8
-
SHA256
18c1d4cdefc2fec292716c8ca114ba756342517066fb6beac11d2fc998d5f57b
-
SHA512
20d7fb6e0cbfddb08c0e14e2053daefba3a1a94e799511fa651199512177581e76d621d983fa9cd45bc5635f1eeab31d46766978d2a97857cc5569d448619822
-
SSDEEP
6144:4ltC6+RPi6dSTaUNcneIUqdKLwJ+V1pNtlHlWi4lIe5WL5thveXDtH0Nff3hfKMW:8+138aCbItdLulV4lTc5/0tUyk0XVh
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
Executes dropped EXE 2 IoCs
pid Process 216 1.exe 4648 server.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
resource yara_rule behavioral2/memory/4648-33-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-35-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-36-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-34-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-31-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-32-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-49-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-51-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-50-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-54-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-55-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-58-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/4648-69-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/432-81-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-79-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-85-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-87-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-88-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-86-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-84-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-83-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-82-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-91-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-90-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-93-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-94-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-95-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-96-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-99-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-101-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-103-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-105-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx behavioral2/memory/432-106-0x0000000007A70000-0x0000000008AFE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4648 server.exe 4648 server.exe 4648 server.exe 4648 server.exe 4648 server.exe 4648 server.exe 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe Token: SeDebugPrivilege 4648 server.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 432 wrote to memory of 216 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 82 PID 432 wrote to memory of 216 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 82 PID 432 wrote to memory of 4648 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 83 PID 432 wrote to memory of 4648 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 83 PID 432 wrote to memory of 4648 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 83 PID 4648 wrote to memory of 784 4648 server.exe 8 PID 4648 wrote to memory of 792 4648 server.exe 9 PID 4648 wrote to memory of 380 4648 server.exe 13 PID 4648 wrote to memory of 2792 4648 server.exe 49 PID 4648 wrote to memory of 2844 4648 server.exe 50 PID 4648 wrote to memory of 2932 4648 server.exe 52 PID 4648 wrote to memory of 3540 4648 server.exe 56 PID 4648 wrote to memory of 3716 4648 server.exe 57 PID 4648 wrote to memory of 3888 4648 server.exe 58 PID 4648 wrote to memory of 3988 4648 server.exe 59 PID 4648 wrote to memory of 4052 4648 server.exe 60 PID 4648 wrote to memory of 588 4648 server.exe 61 PID 4648 wrote to memory of 3924 4648 server.exe 62 PID 4648 wrote to memory of 1060 4648 server.exe 75 PID 4648 wrote to memory of 5008 4648 server.exe 76 PID 4648 wrote to memory of 432 4648 server.exe 81 PID 4648 wrote to memory of 432 4648 server.exe 81 PID 4648 wrote to memory of 216 4648 server.exe 82 PID 216 wrote to memory of 2856 216 1.exe 84 PID 216 wrote to memory of 2856 216 1.exe 84 PID 4648 wrote to memory of 3540 4648 server.exe 56 PID 4648 wrote to memory of 3540 4648 server.exe 56 PID 4648 wrote to memory of 3540 4648 server.exe 56 PID 4648 wrote to memory of 3540 4648 server.exe 56 PID 432 wrote to memory of 784 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 8 PID 432 wrote to memory of 792 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 9 PID 432 wrote to memory of 380 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 13 PID 432 wrote to memory of 2792 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 49 PID 432 wrote to memory of 2844 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 50 PID 432 wrote to memory of 2932 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 52 PID 432 wrote to memory of 3540 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 56 PID 432 wrote to memory of 3716 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 57 PID 432 wrote to memory of 3888 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 58 PID 432 wrote to memory of 3988 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 59 PID 432 wrote to memory of 4052 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 60 PID 432 wrote to memory of 588 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 61 PID 432 wrote to memory of 3924 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 62 PID 432 wrote to memory of 1060 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 75 PID 432 wrote to memory of 5008 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 76 PID 432 wrote to memory of 784 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 8 PID 432 wrote to memory of 792 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 9 PID 432 wrote to memory of 380 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 13 PID 432 wrote to memory of 2792 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 49 PID 432 wrote to memory of 2844 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 50 PID 432 wrote to memory of 2932 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 52 PID 432 wrote to memory of 3540 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 56 PID 432 wrote to memory of 3716 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 57 PID 432 wrote to memory of 3888 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 58 PID 432 wrote to memory of 3988 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 59 PID 432 wrote to memory of 4052 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 60 PID 432 wrote to memory of 588 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 61 PID 432 wrote to memory of 3924 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 62 PID 432 wrote to memory of 1060 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 75 PID 432 wrote to memory of 5008 432 JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2844
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2932
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4127f1773178d0597c0a54b719689c86.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:432 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8084⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2856
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3716
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:588
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5720442f6a69c5a7f9fc98c369a2b1932
SHA108c29ba11ca18626ea0cde321426de60eeb06791
SHA2568fcd3ff8b91dadba8f3b8a80f49ef02ad4fe94839d86e493580f9021fad4404a
SHA512d484f1373635cd78144be753d91d02b123680875468880488f044db6650d1abc24af48490c937fd25fc4b8a6e7a6f655f90b829c4a1e0721f83921337775db4f
-
Filesize
124KB
MD5b0ca348e242deee7ea5417a15a84c1a4
SHA12a727655feb43796810fde263877aa5cfa2ac3ce
SHA2562a8d2bce7a164527e5aab01da2b5c8fc683dbd82958de6a311c5a0a7b40eec5a
SHA5124eb5aee58dda6c0f7b7170bf67c73b0cb6da7885c04937f5f8757adf987942ff0319b01b7cfbf9d940a0f4ef745d6d9cd5f35508c633dbfccd77ad033e36b98f
-
Filesize
257B
MD5baba7cfc1722d51508807747f62b99aa
SHA1b592cfd973cdc2679c1d903451c7dfb6c048493b
SHA256558d324d3afef35575029712147d4eef52f48fed5d666c5292697e2e483db4db
SHA5121309bffa5240e4854a7fce17444749ecba138d9e60bd9ce688959da4fc070d6cfb0745413ec1c30da6b90882e6de9802ecb136bf4fccc2e16d3535a5da0e51ad