Overview
overview
10Static
static
3JaffaCakes...56.exe
windows7-x64
10JaffaCakes...56.exe
windows10-2004-x64
10$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2025 03:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
22 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250129-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20250129-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20250129-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral11
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral12
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20250129-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20241010-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20250129-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe
-
Size
183KB
-
MD5
840fa6ee06fff8d84a2773e8ae922156
-
SHA1
578ca844543245c67e88aa8c71664035f4b18d76
-
SHA256
52f79515018dba7417e433c71b09a951015f69827f30b1ca0db3688a2a21d65b
-
SHA512
b6ca765f0fa3193e0e332e3a9f730309b88491327c6c35eb543343d8e8997e70f9643347ed875156d18403d56e1139e74f7f462aab2c36130197ad2188b3d55d
-
SSDEEP
3072:DLk39XKhYXJlq+JNu/9P0qO5dqAv9efWQFgn8PInvqHUE9s2giM0vxj+hyv8umc3:DQHK+3S9MqODvULe6mCkbeRmu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" Au_.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2456 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 2456 Au_.exe -
Loads dropped DLL 61 IoCs
pid Process 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
resource yara_rule behavioral2/memory/4536-1-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-3-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-4-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-5-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-11-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-13-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-27-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-14-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-9-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/4536-6-0x0000000002430000-0x00000000034BE000-memory.dmp upx behavioral2/memory/2456-83-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-77-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-85-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-86-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-76-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-75-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-84-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-82-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-81-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-88-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-89-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-92-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx behavioral2/memory/2456-314-0x0000000005CF0000-0x0000000006D7E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca6-22.dat nsis_installer_1 behavioral2/files/0x0007000000023ca6-22.dat nsis_installer_2 behavioral2/files/0x0007000000023ca7-37.dat nsis_installer_1 behavioral2/files/0x0007000000023ca7-37.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe 2456 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Token: SeDebugPrivilege 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4536 wrote to memory of 784 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 8 PID 4536 wrote to memory of 788 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 9 PID 4536 wrote to memory of 1016 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 13 PID 4536 wrote to memory of 2580 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 44 PID 4536 wrote to memory of 2732 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 48 PID 4536 wrote to memory of 2996 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 51 PID 4536 wrote to memory of 3408 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 56 PID 4536 wrote to memory of 3536 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 57 PID 4536 wrote to memory of 3720 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 58 PID 4536 wrote to memory of 3820 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 59 PID 4536 wrote to memory of 3884 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 60 PID 4536 wrote to memory of 3968 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 61 PID 4536 wrote to memory of 4124 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 62 PID 4536 wrote to memory of 4036 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 75 PID 4536 wrote to memory of 4756 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 76 PID 4536 wrote to memory of 4200 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 82 PID 4536 wrote to memory of 5072 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 83 PID 4536 wrote to memory of 2456 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 85 PID 4536 wrote to memory of 2456 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 85 PID 4536 wrote to memory of 2456 4536 JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe 85 PID 2456 wrote to memory of 784 2456 Au_.exe 8 PID 2456 wrote to memory of 788 2456 Au_.exe 9 PID 2456 wrote to memory of 1016 2456 Au_.exe 13 PID 2456 wrote to memory of 2580 2456 Au_.exe 44 PID 2456 wrote to memory of 2732 2456 Au_.exe 48 PID 2456 wrote to memory of 2996 2456 Au_.exe 51 PID 2456 wrote to memory of 3408 2456 Au_.exe 56 PID 2456 wrote to memory of 3536 2456 Au_.exe 57 PID 2456 wrote to memory of 3720 2456 Au_.exe 58 PID 2456 wrote to memory of 3820 2456 Au_.exe 59 PID 2456 wrote to memory of 3884 2456 Au_.exe 60 PID 2456 wrote to memory of 3968 2456 Au_.exe 61 PID 2456 wrote to memory of 4124 2456 Au_.exe 62 PID 2456 wrote to memory of 4036 2456 Au_.exe 75 PID 2456 wrote to memory of 4756 2456 Au_.exe 76 PID 2456 wrote to memory of 4200 2456 Au_.exe 82 PID 2456 wrote to memory of 372 2456 Au_.exe 87 PID 2456 wrote to memory of 1756 2456 Au_.exe 88 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2732
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2996
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_840fa6ee06fff8d84a2773e8ae922156.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3884
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4756
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4200
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1756
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD51e77482af3122ce2cc5a1a0dc8d3082d
SHA1bd73aee1dc12468a2e285dc3358776faf02404c1
SHA256f954e8a92a0b52a2c46ad5d42076d1c19f78758b300569085ee77a9c9b69c79a
SHA5127fd3ba411f88793c2f046dd38bae692d2ad2e545a4e94cc58802b3dc12ca390663b68aebb25c85f100fc38abcbd9913c8e3c1dda2ffd10976ac1d1fbfa726b8b
-
Filesize
35KB
MD52cfba79d485cf441c646dd40d82490fc
SHA183e51ac1115a50986ed456bd18729653018b9619
SHA25686b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7
SHA512cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
13KB
MD5bcec2a6095d38abc192a68d094c302d0
SHA19e88c5b957b45524690513b75d81dee259d5d599
SHA256446000200eff4f9c20761ce1680902daba190c81a57154f4917b1741d7800e3c
SHA512b48e85a17904a104eef573358763a0b1215eec96f72f83ff544d2dab22737bc42411ca505adf3f7e95c6f7e7997ad3e408f258093727105b678d5eee8d8e6278
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
24KB
MD5ef630cf1898c257df36b1037bd1e5392
SHA1b2c47d9a741d2b5391387059552b37f2daddade2
SHA25641776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f
SHA512986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
183KB
MD5840fa6ee06fff8d84a2773e8ae922156
SHA1578ca844543245c67e88aa8c71664035f4b18d76
SHA25652f79515018dba7417e433c71b09a951015f69827f30b1ca0db3688a2a21d65b
SHA512b6ca765f0fa3193e0e332e3a9f730309b88491327c6c35eb543343d8e8997e70f9643347ed875156d18403d56e1139e74f7f462aab2c36130197ad2188b3d55d
-
Filesize
257B
MD5fcb3accaad8df7dcac3dedcba0487608
SHA1120d3714e2b2e9b85ac4ccae0cc3e370a527ca1d
SHA256812046608d7abcbcf2b2c1a65c4c1f186d1de1d1f7d771f9a7e79a18e061b649
SHA512515303d485ab542b52db584f44df9bcae482a352a6b272bfbefce0965f0ad169f4277b418d9d3f19b9c1375ebc93d54c11f43bedd686bb1178da7b5f9c441002