Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe
-
Size
97KB
-
MD5
5c035eabdc210ca5992e0017d715d8fc
-
SHA1
3677a09367dc6396106b08822875f5e9b5dee241
-
SHA256
14c1c6de7508c0fe8e4006c6df6bd68aab13041fe779412ced195682682410f9
-
SHA512
0c83cd7a093160fa0a7e9eb88f688dc835f677cc44f4b719584101045298ea79df07447efc01b1917845f4554f531e0270ae03ef86efa400f19b14824e108273
-
SSDEEP
3072:G8edsTFUm9g0F8j/aUuPfomsLD46GwzpDLDqfeWZx:GSZF8FMo7L4wztceWT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\U: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\V: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\E: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\L: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\M: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\Q: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\W: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\X: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\Z: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\H: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\J: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\O: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\T: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\I: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\P: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\Y: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\G: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\K: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\N: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened (read-only) \??\S: JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification F:\autorun.inf JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
resource yara_rule behavioral2/memory/3788-1-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-3-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-4-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-5-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-7-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-16-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-15-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-14-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-21-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-22-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-23-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-25-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-24-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-27-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-28-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-29-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-31-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-33-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-35-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-41-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-44-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-45-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-53-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-54-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-55-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-56-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-60-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-61-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-63-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-65-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-68-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-70-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-71-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-72-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3788-75-0x0000000000800000-0x00000000018BA000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\7-Zip\7z.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\7-Zip\7zG.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe File created C:\Windows\e578405 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe Token: SeDebugPrivilege 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3788 wrote to memory of 808 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 9 PID 3788 wrote to memory of 812 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 10 PID 3788 wrote to memory of 388 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 13 PID 3788 wrote to memory of 3076 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 50 PID 3788 wrote to memory of 3140 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 51 PID 3788 wrote to memory of 3236 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 52 PID 3788 wrote to memory of 3512 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 56 PID 3788 wrote to memory of 3664 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 57 PID 3788 wrote to memory of 3856 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 58 PID 3788 wrote to memory of 3944 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 59 PID 3788 wrote to memory of 4036 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 60 PID 3788 wrote to memory of 2524 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 61 PID 3788 wrote to memory of 4160 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 62 PID 3788 wrote to memory of 3380 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 75 PID 3788 wrote to memory of 4584 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 76 PID 3788 wrote to memory of 708 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 80 PID 3788 wrote to memory of 1544 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 81 PID 3788 wrote to memory of 4000 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 83 PID 3788 wrote to memory of 780 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 84 PID 3788 wrote to memory of 808 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 9 PID 3788 wrote to memory of 812 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 10 PID 3788 wrote to memory of 388 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 13 PID 3788 wrote to memory of 3076 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 50 PID 3788 wrote to memory of 3140 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 51 PID 3788 wrote to memory of 3236 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 52 PID 3788 wrote to memory of 3512 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 56 PID 3788 wrote to memory of 3664 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 57 PID 3788 wrote to memory of 3856 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 58 PID 3788 wrote to memory of 3944 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 59 PID 3788 wrote to memory of 4036 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 60 PID 3788 wrote to memory of 2524 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 61 PID 3788 wrote to memory of 4160 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 62 PID 3788 wrote to memory of 3380 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 75 PID 3788 wrote to memory of 4584 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 76 PID 3788 wrote to memory of 708 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 80 PID 3788 wrote to memory of 780 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 84 PID 3788 wrote to memory of 1440 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 85 PID 3788 wrote to memory of 808 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 9 PID 3788 wrote to memory of 812 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 10 PID 3788 wrote to memory of 388 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 13 PID 3788 wrote to memory of 3076 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 50 PID 3788 wrote to memory of 3140 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 51 PID 3788 wrote to memory of 3236 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 52 PID 3788 wrote to memory of 3512 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 56 PID 3788 wrote to memory of 3664 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 57 PID 3788 wrote to memory of 3856 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 58 PID 3788 wrote to memory of 3944 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 59 PID 3788 wrote to memory of 4036 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 60 PID 3788 wrote to memory of 2524 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 61 PID 3788 wrote to memory of 4160 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 62 PID 3788 wrote to memory of 3380 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 75 PID 3788 wrote to memory of 4584 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 76 PID 3788 wrote to memory of 708 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 80 PID 3788 wrote to memory of 780 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 84 PID 3788 wrote to memory of 1440 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 85 PID 3788 wrote to memory of 808 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 9 PID 3788 wrote to memory of 812 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 10 PID 3788 wrote to memory of 388 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 13 PID 3788 wrote to memory of 3076 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 50 PID 3788 wrote to memory of 3140 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 51 PID 3788 wrote to memory of 3236 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 52 PID 3788 wrote to memory of 3512 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 56 PID 3788 wrote to memory of 3664 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 57 PID 3788 wrote to memory of 3856 3788 JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe 58 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3140
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3236
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c035eabdc210ca5992e0017d715d8fc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3788
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3664
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4036
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2524
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4160
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4584
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:708
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1544
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1440
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD52a79fd914ba1b647bbe011dd54853aed
SHA14b1cf9c157bdfae9b346b1a6a96c93b323ec24c8
SHA256bb1574c844b27cd0879f667470845e9a53fa745d5c15200f1106c1983bbf6a6a
SHA512452a69008e1313abea1a46bca750033fef1a7fb32e9dd848b24464a9bca7117db26dd60256cfb836c7a532bcc20cf5b33eee58b8b3701753209db97446bb3392