sality | 23e3ab7bc781a79ac6ee3d4c72c01ce24ed06688251bfe39e1f7aee82f5a1ae6

Analysis

max time kernel
26s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Size

3.4MB
MD5

4342c64738e12a84303e4592e9a4a882
SHA1

aefeaed87862130255090ecd98d07c9bd3b81d8c
SHA256

23e3ab7bc781a79ac6ee3d4c72c01ce24ed06688251bfe39e1f7aee82f5a1ae6
SHA512

23107a9f21e03ea37e2124000ddadfef50b0da974acd71ba3bef938cf3277a2d3f0602d5ac28cf91198fc17041b7e4431cd1dce7a67b3d7f8376010a75566e9c
SSDEEP

98304:Ow6YhCrNyctDPs/BNnX+ICRVbZt4G5byJYZ:5grk2s//OZOObyi

Score

10^/10

sality backdoor defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ay2a3atf.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4576	netsh.exe
2084	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Deletes itself 1 IoCs

pid	Process
928	ay2a3atf.exe

Executes dropped EXE 3 IoCs

pid	Process
1196	migamix.exe
3468	migamix.exe
928	ay2a3atf.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ay2a3atf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\__tmp_rar_sfx_access_check_240630140	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
File created	C:\WINDOWS\SysWOW64\migamix.exe	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
File opened for modification	C:\WINDOWS\SysWOW64\migamix.exe	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
File created	C:\WINDOWS\SysWOW64\ay2a3atf.exe	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
File opened for modification	C:\WINDOWS\SysWOW64\ay2a3atf.exe	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 3468	1196	migamix.exe	85

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4436-1-0x0000000002310000-0x0000000003340000-memory.dmp	upx
behavioral2/memory/4436-6-0x0000000002310000-0x0000000003340000-memory.dmp	upx
behavioral2/memory/4436-7-0x0000000002310000-0x0000000003340000-memory.dmp	upx
behavioral2/memory/4436-4-0x0000000002310000-0x0000000003340000-memory.dmp	upx
behavioral2/memory/4436-37-0x0000000002310000-0x0000000003340000-memory.dmp	upx
behavioral2/memory/4436-35-0x0000000002310000-0x0000000003340000-memory.dmp	upx
behavioral2/memory/928-80-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-81-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-78-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-90-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-92-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-105-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-106-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx
behavioral2/memory/928-107-0x0000000004CE0000-0x0000000005D10000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	ay2a3atf.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	ay2a3atf.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	ay2a3atf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migamix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migamix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ay2a3atf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
3468	migamix.exe
3468	migamix.exe
3468	migamix.exe
3468	migamix.exe
928	ay2a3atf.exe
928	ay2a3atf.exe
928	ay2a3atf.exe
928	ay2a3atf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Token: SeDebugPrivilege	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 784	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	9
PID 4436 wrote to memory of 792	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	10
PID 4436 wrote to memory of 316	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	13
PID 4436 wrote to memory of 2672	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	44
PID 4436 wrote to memory of 2680	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	45
PID 4436 wrote to memory of 3020	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	51
PID 4436 wrote to memory of 3456	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	56
PID 4436 wrote to memory of 3596	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	57
PID 4436 wrote to memory of 3776	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	58
PID 4436 wrote to memory of 3864	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	59
PID 4436 wrote to memory of 3924	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	60
PID 4436 wrote to memory of 4008	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	61
PID 4436 wrote to memory of 4148	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	62
PID 4436 wrote to memory of 3748	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	74
PID 4436 wrote to memory of 3324	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	76
PID 4436 wrote to memory of 4576	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	82
PID 4436 wrote to memory of 4576	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	82
PID 4436 wrote to memory of 4576	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	82
PID 4436 wrote to memory of 1196	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	84
PID 4436 wrote to memory of 1196	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	84
PID 4436 wrote to memory of 1196	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	84
PID 1196 wrote to memory of 3468	1196	migamix.exe	85
PID 1196 wrote to memory of 3468	1196	migamix.exe	85
PID 1196 wrote to memory of 3468	1196	migamix.exe	85
PID 1196 wrote to memory of 3468	1196	migamix.exe	85
PID 1196 wrote to memory of 3468	1196	migamix.exe	85
PID 1196 wrote to memory of 3468	1196	migamix.exe	85
PID 4436 wrote to memory of 928	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	86
PID 4436 wrote to memory of 928	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	86
PID 4436 wrote to memory of 928	4436	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe	86
PID 3468 wrote to memory of 3456	3468	migamix.exe	56
PID 3468 wrote to memory of 3456	3468	migamix.exe	56
PID 3468 wrote to memory of 3456	3468	migamix.exe	56
PID 3468 wrote to memory of 3456	3468	migamix.exe	56
PID 928 wrote to memory of 784	928	ay2a3atf.exe	9
PID 928 wrote to memory of 792	928	ay2a3atf.exe	10
PID 928 wrote to memory of 316	928	ay2a3atf.exe	13
PID 928 wrote to memory of 2084	928	ay2a3atf.exe	87
PID 928 wrote to memory of 2084	928	ay2a3atf.exe	87
PID 928 wrote to memory of 2084	928	ay2a3atf.exe	87
PID 928 wrote to memory of 2672	928	ay2a3atf.exe	44
PID 928 wrote to memory of 2680	928	ay2a3atf.exe	45
PID 928 wrote to memory of 3020	928	ay2a3atf.exe	51
PID 928 wrote to memory of 3456	928	ay2a3atf.exe	56
PID 928 wrote to memory of 3596	928	ay2a3atf.exe	57
PID 928 wrote to memory of 3776	928	ay2a3atf.exe	58
PID 928 wrote to memory of 3864	928	ay2a3atf.exe	59
PID 928 wrote to memory of 3924	928	ay2a3atf.exe	60
PID 928 wrote to memory of 4008	928	ay2a3atf.exe	61
PID 928 wrote to memory of 4148	928	ay2a3atf.exe	62
PID 928 wrote to memory of 3748	928	ay2a3atf.exe	74
PID 928 wrote to memory of 3324	928	ay2a3atf.exe	76
PID 928 wrote to memory of 784	928	ay2a3atf.exe	9
PID 928 wrote to memory of 792	928	ay2a3atf.exe	10
PID 928 wrote to memory of 316	928	ay2a3atf.exe	13
PID 928 wrote to memory of 2672	928	ay2a3atf.exe	44
PID 928 wrote to memory of 2680	928	ay2a3atf.exe	45
PID 928 wrote to memory of 3020	928	ay2a3atf.exe	51
PID 928 wrote to memory of 3456	928	ay2a3atf.exe	56
PID 928 wrote to memory of 3596	928	ay2a3atf.exe	57
PID 928 wrote to memory of 3776	928	ay2a3atf.exe	58
PID 928 wrote to memory of 3864	928	ay2a3atf.exe	59
PID 928 wrote to memory of 3924	928	ay2a3atf.exe	60
PID 928 wrote to memory of 4008	928	ay2a3atf.exe	61

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ay2a3atf.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4436
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\WINDOWS\SysWOW64\migamix.exe
    "C:\WINDOWS\system32\migamix.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\WINDOWS\SysWOW64\migamix.exe
      C:\WINDOWS\SysWOW64\migamix.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3468
- - C:\WINDOWS\SysWOW64\ay2a3atf.exe
    "C:\WINDOWS\system32\ay2a3atf.exe"
    3⤵
    - UAC bypass
    - Deletes itself
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:928
  - - C:\WINDOWS\SysWOW64\netsh.exe
      netsh firewall set opmode disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E57B834_Rar\JaffaCakes118_4342c64738e12a84303e4592e9a4a882.exe

Filesize
3.4MB

MD5
8127d21332723bb91d14a8408e49dfba

SHA1
0b32d87274817f37fdeeb1ec4d4152dde641088a

SHA256
1cd0b7cc362075ac8995b3425f56dd389bb5fb3c9dbe8404ae408820cbbf1912

SHA512
e5f434a39d05aa20a3215ed3ba70c4aae76f17c27a88f814d9ebe43830871f455afb0dfb685a2d0a4ecc7568880d54ad32bffa728c5f85fae5d400da4ce29293

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
509796a341dadb1a12455dcc4ae0b2ef

SHA1
99193646525e31496aa5d1e553e4db52cae49733

SHA256
9c049627d1f0ca29d215e83780a28df66c23423a25b19f17a6f4b5b00cff380b

SHA512
c0b369700bf8b11cba735bb7e7380da5765d4371a87d6b7b2af15fb504167b45ed302578bc471be7722382074c1c11b1696c91dd65d71a7099d4c5cff4d47b2e

Download Submit
C:\Windows\SysWOW64\ay2a3atf.exe

Filesize
3.9MB

MD5
2c11ce4be0aae4f1e91398032b2929e7

SHA1
a5f48c8a6c59c1b500c0930d7576dcdd3af218c3

SHA256
55a55e2f2415e6e831c1dace04cc58f955ebcd489d522c48183701f201468c09

SHA512
d1c6944ec681f95130850e34a232b187ff4234ef1ba80dddd903dcd71cca603ac23da62a315b766817457be3569e2afb876a436d78bacfaaf32748025ea4bc08

Download Submit
C:\Windows\SysWOW64\migamix.exe

Filesize
38KB

MD5
7857b804240902da8c60d4e36a7e1a9f

SHA1
27943c33bd98e24471713d82029c0c6d11fb2f88

SHA256
c3f7b3befe28dc5fdbab29534b7e6c371a5385b562833e47117ee4c294ac9046

SHA512
12e8465d39ad26944437cd7c48eaace9835a352d6bf5fd9c2ada0f24df967699c8b3833e8e038e01682b70cbe3940f89fead1886844da8f44648448b55f0547f

Download Submit
memory/928-105-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-150-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/928-80-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-90-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-106-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-78-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-107-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-92-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-88-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/928-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/928-81-0x0000000004CE0000-0x0000000005D10000-memory.dmp

Filesize
16.2MB

Download
memory/928-89-0x0000000002040000-0x0000000002042000-memory.dmp

Filesize
8KB

Download
memory/3456-72-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/3456-73-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3468-49-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3468-76-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4436-37-0x0000000002310000-0x0000000003340000-memory.dmp

Filesize
16.2MB

Download
memory/4436-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-35-0x0000000002310000-0x0000000003340000-memory.dmp

Filesize
16.2MB

Download
memory/4436-4-0x0000000002310000-0x0000000003340000-memory.dmp

Filesize
16.2MB

Download
memory/4436-15-0x00000000055B0000-0x00000000055B2000-memory.dmp

Filesize
8KB

Download
memory/4436-17-0x00000000055B0000-0x00000000055B2000-memory.dmp

Filesize
8KB

Download
memory/4436-16-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/4436-20-0x00000000055B0000-0x00000000055B2000-memory.dmp

Filesize
8KB

Download
memory/4436-7-0x0000000002310000-0x0000000003340000-memory.dmp

Filesize
16.2MB

Download
memory/4436-6-0x0000000002310000-0x0000000003340000-memory.dmp

Filesize
16.2MB

Download
memory/4436-1-0x0000000002310000-0x0000000003340000-memory.dmp

Filesize
16.2MB

Download