Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 17:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe
Resource
win7-20240903-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe
-
Size
110KB
-
MD5
7f3bfe42542dba416ebea5b15d165870
-
SHA1
feaabf0c1d905f8bc5d52b1be7ffc4f6e274bf53
-
SHA256
eacafcc54117b154bdef3175a2f79dcd97090d443ea340b5c851be2e1fb0a7ad
-
SHA512
c706573c51fe78b1deec4f2f015018cde4bf6078b4d74f02f056ea56c6a40e2eb43b4e31f86c949c8ba23f77e917d559a7c93645fdb2d1a7378290f5e73efbe0
-
SSDEEP
1536:51s9uOS//PnBLWqj5/BRhesSesRxRv8z7lo1Ih9g8NATEa+j2b4SwyeEkR13utKN:XsJYBTnhDWvgZBAga+A21eB0
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4299827.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6299822.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" smss.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4758c = "\"C:\\Windows\\_default29982.pif\"" smss.exe Key created \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" smss.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1844 netsh.exe 4664 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Key value queried \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation smss.exe -
Executes dropped EXE 1 IoCs
pid Process 4704 smss.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" smss.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (str) \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4758c = "\"C:\\Windows\\j6299822.exe\"" smss.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\s4827\smss.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\SysWOW64\s4827 smss.exe File created C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\winlogon.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File created C:\Windows\SysWOW64\s4827\smss.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File created C:\Windows\SysWOW64\c_29982k.com JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin smss.exe File created C:\Windows\SysWOW64\s4827\smss.exe smss.exe File opened for modification C:\Windows\SysWOW64\s4827\zh59927084y.exe smss.exe File opened for modification C:\Windows\SysWOW64\c_29982k.com JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\SysWOW64\s4827\smss.exe smss.exe -
resource yara_rule behavioral2/memory/780-3-0x00000000021F0000-0x0000000003223000-memory.dmp upx behavioral2/memory/780-1-0x00000000021F0000-0x0000000003223000-memory.dmp upx behavioral2/memory/780-10-0x00000000021F0000-0x0000000003223000-memory.dmp upx behavioral2/memory/780-25-0x00000000021F0000-0x0000000003223000-memory.dmp upx behavioral2/memory/780-33-0x00000000021F0000-0x0000000003223000-memory.dmp upx behavioral2/memory/4704-92-0x00000000024E0000-0x0000000003513000-memory.dmp upx behavioral2/memory/4704-98-0x00000000024E0000-0x0000000003513000-memory.dmp upx behavioral2/memory/4704-115-0x00000000024E0000-0x0000000003513000-memory.dmp upx behavioral2/memory/4704-135-0x00000000024E0000-0x0000000003513000-memory.dmp upx -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\j6299822.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File created C:\Windows\j6299822.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\o4299827.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\_default29982.pif JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File created C:\Windows\_default29982.pif JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\j6299822.exe smss.exe File opened for modification C:\Windows\o4299827.exe smss.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe File opened for modification C:\Windows\_default29982.pif smss.exe File created C:\Windows\o4299827.exe JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 4704 smss.exe 4704 smss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Token: SeDebugPrivilege 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 780 wrote to memory of 1844 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 84 PID 780 wrote to memory of 1844 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 84 PID 780 wrote to memory of 1844 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 84 PID 780 wrote to memory of 796 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 9 PID 780 wrote to memory of 804 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 10 PID 780 wrote to memory of 332 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 13 PID 780 wrote to memory of 2572 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 42 PID 780 wrote to memory of 2584 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 43 PID 780 wrote to memory of 2848 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 49 PID 780 wrote to memory of 3608 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 56 PID 780 wrote to memory of 3728 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 57 PID 780 wrote to memory of 3928 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 58 PID 780 wrote to memory of 4016 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 59 PID 780 wrote to memory of 4080 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 60 PID 780 wrote to memory of 2804 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 61 PID 780 wrote to memory of 4204 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 62 PID 780 wrote to memory of 2432 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 74 PID 780 wrote to memory of 3324 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 76 PID 780 wrote to memory of 3316 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 80 PID 780 wrote to memory of 536 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 81 PID 780 wrote to memory of 812 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 83 PID 780 wrote to memory of 1844 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 84 PID 780 wrote to memory of 1844 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 84 PID 780 wrote to memory of 4704 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 90 PID 780 wrote to memory of 4704 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 90 PID 780 wrote to memory of 4704 780 JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe 90 PID 4704 wrote to memory of 4664 4704 smss.exe 92 PID 4704 wrote to memory of 4664 4704 smss.exe 92 PID 4704 wrote to memory of 4664 4704 smss.exe 92 PID 4704 wrote to memory of 796 4704 smss.exe 9 PID 4704 wrote to memory of 804 4704 smss.exe 10 PID 4704 wrote to memory of 332 4704 smss.exe 13 PID 4704 wrote to memory of 2572 4704 smss.exe 42 PID 4704 wrote to memory of 2584 4704 smss.exe 43 PID 4704 wrote to memory of 2848 4704 smss.exe 49 PID 4704 wrote to memory of 3608 4704 smss.exe 56 PID 4704 wrote to memory of 3728 4704 smss.exe 57 PID 4704 wrote to memory of 3928 4704 smss.exe 58 PID 4704 wrote to memory of 4016 4704 smss.exe 59 PID 4704 wrote to memory of 4080 4704 smss.exe 60 PID 4704 wrote to memory of 2804 4704 smss.exe 61 PID 4704 wrote to memory of 4204 4704 smss.exe 62 PID 4704 wrote to memory of 2432 4704 smss.exe 74 PID 4704 wrote to memory of 3324 4704 smss.exe 76 PID 4704 wrote to memory of 3316 4704 smss.exe 80 PID 4704 wrote to memory of 536 4704 smss.exe 81 PID 4704 wrote to memory of 5100 4704 smss.exe 86 PID 4704 wrote to memory of 3036 4704 smss.exe 87 PID 4704 wrote to memory of 5056 4704 smss.exe 91 PID 4704 wrote to memory of 4664 4704 smss.exe 92 PID 4704 wrote to memory of 4664 4704 smss.exe 92 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2584
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f3bfe42542dba416ebea5b15d165870.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:780 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:812
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\s4827\smss.exe"C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4704 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5056
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4664
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3728
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4080
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4204
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2432
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3316
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:536
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5100
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258B
MD5b744cc48b7e18d885f45323067378e9c
SHA1dbdd347e223d381016495098c3138bcc6793e527
SHA256123d96d1b78b7be5fe1d753be47c75196256e25f0a5448c12934dfe945da42fe
SHA512deb72d8c6913290f335de7dd91984d9bf4985745cc40c9e0da961e124ab626110b9fb549053af0680dc0b0b73e11ca1413dd715a73d511a8177d0961aa3ca120
-
Filesize
110KB
MD57f3bfe42542dba416ebea5b15d165870
SHA1feaabf0c1d905f8bc5d52b1be7ffc4f6e274bf53
SHA256eacafcc54117b154bdef3175a2f79dcd97090d443ea340b5c851be2e1fb0a7ad
SHA512c706573c51fe78b1deec4f2f015018cde4bf6078b4d74f02f056ea56c6a40e2eb43b4e31f86c949c8ba23f77e917d559a7c93645fdb2d1a7378290f5e73efbe0
-
Filesize
97KB
MD567e17c9166734ca417beae5882b5366e
SHA1aac7ba6890f9cc7c14c9c1b81216632cf92f4533
SHA2562b2634ffdcd38ff1968f600dc9a928c9847122e293c678ab27d3b504f696b340
SHA5126fabd503f2fc1ab03dc03b8fca4c4863eed6d29ba59f202d96c4f16d844565971bbb40f8954f1a90f7525832ae27b33a7fa8f9bace150cb095b624e87699debe