Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2025 06:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_5ff54e1bfed5214b556ae2038c13ec45.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
JaffaCakes118_5ff54e1bfed5214b556ae2038c13ec45.dll
-
Size
120KB
-
MD5
5ff54e1bfed5214b556ae2038c13ec45
-
SHA1
40170f6dcdebae03ac894fa4ed082096804d6e87
-
SHA256
59a33d36145ee35f20ac871c17e5c874554628413b9c3adf19488910a5c9f840
-
SHA512
83c01c4f4e9fa95bac438751d60b5f17d7f98056b217b978262e10f8d9d1d8e5c271762e4c8319619886040ee13ed6c0a0068a924e65274317156fe5e632af3a
-
SSDEEP
3072:BXnikJO/X+GRqIHgo9kTbffMLZgaOisBuQK2dS:pnc/OgHR94oZROdK2d
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578ee2.exe -
Sality family
-
UAC bypass 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bc4b.exe -
Windows security bypass 2 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578ee2.exe -
Executes dropped EXE 3 IoCs
pid Process 5032 e578ca0.exe 2100 e578ee2.exe 2628 e57bc4b.exe -
Windows security modification 2 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578ee2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bc4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578ca0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bc4b.exe -
Checks whether UAC is enabled 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bc4b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ca0.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e578ca0.exe File opened (read-only) \??\K: e578ca0.exe File opened (read-only) \??\L: e578ca0.exe File opened (read-only) \??\G: e57bc4b.exe File opened (read-only) \??\G: e578ca0.exe File opened (read-only) \??\I: e578ca0.exe File opened (read-only) \??\E: e57bc4b.exe File opened (read-only) \??\H: e57bc4b.exe File opened (read-only) \??\I: e57bc4b.exe File opened (read-only) \??\J: e57bc4b.exe File opened (read-only) \??\E: e578ca0.exe File opened (read-only) \??\H: e578ca0.exe -
resource yara_rule behavioral2/memory/5032-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-7-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-26-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-27-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-31-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-18-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-34-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-54-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-56-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-58-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-59-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-61-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-63-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-65-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5032-66-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2100-88-0x0000000000B90000-0x0000000001C4A000-memory.dmp upx behavioral2/memory/2100-93-0x0000000000B90000-0x0000000001C4A000-memory.dmp upx behavioral2/memory/2628-95-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2628-99-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2628-146-0x00000000007E0000-0x000000000189A000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\e578cee e578ca0.exe File opened for modification C:\Windows\SYSTEM.INI e578ca0.exe File created C:\Windows\e57de1b e578ee2.exe File created C:\Windows\e57e3c8 e57bc4b.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578ca0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e578ee2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bc4b.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5032 e578ca0.exe 5032 e578ca0.exe 5032 e578ca0.exe 5032 e578ca0.exe 2628 e57bc4b.exe 2628 e57bc4b.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe Token: SeDebugPrivilege 5032 e578ca0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3672 4920 rundll32.exe 82 PID 4920 wrote to memory of 3672 4920 rundll32.exe 82 PID 4920 wrote to memory of 3672 4920 rundll32.exe 82 PID 3672 wrote to memory of 5032 3672 rundll32.exe 85 PID 3672 wrote to memory of 5032 3672 rundll32.exe 85 PID 3672 wrote to memory of 5032 3672 rundll32.exe 85 PID 5032 wrote to memory of 784 5032 e578ca0.exe 8 PID 5032 wrote to memory of 792 5032 e578ca0.exe 9 PID 5032 wrote to memory of 332 5032 e578ca0.exe 13 PID 5032 wrote to memory of 2480 5032 e578ca0.exe 42 PID 5032 wrote to memory of 2508 5032 e578ca0.exe 45 PID 5032 wrote to memory of 2764 5032 e578ca0.exe 47 PID 5032 wrote to memory of 3540 5032 e578ca0.exe 56 PID 5032 wrote to memory of 3700 5032 e578ca0.exe 57 PID 5032 wrote to memory of 3892 5032 e578ca0.exe 58 PID 5032 wrote to memory of 3984 5032 e578ca0.exe 59 PID 5032 wrote to memory of 616 5032 e578ca0.exe 60 PID 5032 wrote to memory of 3276 5032 e578ca0.exe 61 PID 5032 wrote to memory of 3576 5032 e578ca0.exe 62 PID 5032 wrote to memory of 2432 5032 e578ca0.exe 64 PID 5032 wrote to memory of 3692 5032 e578ca0.exe 76 PID 5032 wrote to memory of 3208 5032 e578ca0.exe 79 PID 5032 wrote to memory of 1724 5032 e578ca0.exe 80 PID 5032 wrote to memory of 4920 5032 e578ca0.exe 81 PID 5032 wrote to memory of 3672 5032 e578ca0.exe 82 PID 5032 wrote to memory of 3672 5032 e578ca0.exe 82 PID 5032 wrote to memory of 1980 5032 e578ca0.exe 83 PID 5032 wrote to memory of 4628 5032 e578ca0.exe 84 PID 3672 wrote to memory of 2100 3672 rundll32.exe 86 PID 3672 wrote to memory of 2100 3672 rundll32.exe 86 PID 3672 wrote to memory of 2100 3672 rundll32.exe 86 PID 5032 wrote to memory of 784 5032 e578ca0.exe 8 PID 5032 wrote to memory of 792 5032 e578ca0.exe 9 PID 5032 wrote to memory of 332 5032 e578ca0.exe 13 PID 5032 wrote to memory of 2480 5032 e578ca0.exe 42 PID 5032 wrote to memory of 2508 5032 e578ca0.exe 45 PID 5032 wrote to memory of 2764 5032 e578ca0.exe 47 PID 5032 wrote to memory of 3540 5032 e578ca0.exe 56 PID 5032 wrote to memory of 3700 5032 e578ca0.exe 57 PID 5032 wrote to memory of 3892 5032 e578ca0.exe 58 PID 5032 wrote to memory of 3984 5032 e578ca0.exe 59 PID 5032 wrote to memory of 616 5032 e578ca0.exe 60 PID 5032 wrote to memory of 3276 5032 e578ca0.exe 61 PID 5032 wrote to memory of 3576 5032 e578ca0.exe 62 PID 5032 wrote to memory of 2432 5032 e578ca0.exe 64 PID 5032 wrote to memory of 3692 5032 e578ca0.exe 76 PID 5032 wrote to memory of 3208 5032 e578ca0.exe 79 PID 5032 wrote to memory of 1724 5032 e578ca0.exe 80 PID 5032 wrote to memory of 4920 5032 e578ca0.exe 81 PID 5032 wrote to memory of 4628 5032 e578ca0.exe 84 PID 5032 wrote to memory of 2100 5032 e578ca0.exe 86 PID 5032 wrote to memory of 2100 5032 e578ca0.exe 86 PID 5032 wrote to memory of 3664 5032 e578ca0.exe 87 PID 3672 wrote to memory of 2628 3672 rundll32.exe 88 PID 3672 wrote to memory of 2628 3672 rundll32.exe 88 PID 3672 wrote to memory of 2628 3672 rundll32.exe 88 PID 2628 wrote to memory of 784 2628 e57bc4b.exe 8 PID 2628 wrote to memory of 792 2628 e57bc4b.exe 9 PID 2628 wrote to memory of 332 2628 e57bc4b.exe 13 PID 2628 wrote to memory of 2480 2628 e57bc4b.exe 42 PID 2628 wrote to memory of 2508 2628 e57bc4b.exe 45 PID 2628 wrote to memory of 2764 2628 e57bc4b.exe 47 PID 2628 wrote to memory of 3540 2628 e57bc4b.exe 56 PID 2628 wrote to memory of 3700 2628 e57bc4b.exe 57 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ca0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578ee2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bc4b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2508
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2764
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff54e1bfed5214b556ae2038c13ec45.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5ff54e1bfed5214b556ae2038c13ec45.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\e578ca0.exeC:\Users\Admin\AppData\Local\Temp\e578ca0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\e578ee2.exeC:\Users\Admin\AppData\Local\Temp\e578ee2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\e57bc4b.exeC:\Users\Admin\AppData\Local\Temp\e57bc4b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2628
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3892
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:616
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3276
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3692
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3208
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1724
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:1980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4628
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3664
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f00faca2a4093885ab41737eb76000ce
SHA1a8417375680a14c40de6d11c758499629e594e96
SHA2566c8eba78e91ad260b4d94dccc77953f018405076bb69580e1599b6fc60df8eba
SHA51228cdcba914b391f724103626ffab4a66cd86090d842d7110fd605b610486c9e53984802ceb292e86a597ba2c4cd2b3d8a1821ef88707654f055b91761289517a
-
Filesize
257B
MD5eb82555d02023a4d5bf51d93d48ce14c
SHA1d7590c1459173ec295e055d2c6e2f326967996db
SHA256c37adc75c92465f2c43d6de8e8946ff9ae1081708320120f3ca802141b1111b3
SHA512143b2278eba98f0cf0d4b5d61ff6240ec7561f0c6597a37da0d0a4957e3b34289937932c20cf8efc842e589d6c7284b9ef917e5534f2451bca3b504ab6d51f2e