sality | dff10f255546c9373ba738c152c10251460ccd5212020aa8fa9cdf87b4eab0cc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Size

194KB
MD5

9e6c22af0433a806517fafc0e83e1574
SHA1

1c9bb427aa29e8be2c4258bc1393fed578841172
SHA256

dff10f255546c9373ba738c152c10251460ccd5212020aa8fa9cdf87b4eab0cc
SHA512

2136c548e24a2f0f316a97d21504e94b5c9057188546819ac5006c075537c90513c7deb389fd2273f2096aa80bc32be1c2d5c8e9ef86b670ef579d341123933c
SSDEEP

6144:WtvtJ4Xma2TbglDyIlIAfgSt4KO2iWiWsV:WtLTbsJIOOKOXcq

Score

10^/10

sality backdoor google defense_evasion discovery persistence phishing privilege_escalation trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	A~NSISu_.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1140	netsh.exe
5072	netsh.exe

Deletes itself 1 IoCs

pid	Process
2472	A~NSISu_.exe

Executes dropped EXE 1 IoCs

pid	Process
2472	A~NSISu_.exe

Loads dropped DLL 3 IoCs

pid	Process
2472	A~NSISu_.exe
2472	A~NSISu_.exe
2472	A~NSISu_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	A~NSISu_.exe

Detected potential entity reuse from brand GOOGLE. 1 IoCs

phishing google

flow	pid	Process
28	2596	IEXPLORE.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3360-1-0x00000000023B0000-0x00000000033E0000-memory.dmp	upx
behavioral2/memory/3360-4-0x00000000023B0000-0x00000000033E0000-memory.dmp	upx
behavioral2/memory/3360-26-0x00000000023B0000-0x00000000033E0000-memory.dmp	upx
behavioral2/memory/2472-42-0x0000000004950000-0x0000000005980000-memory.dmp	upx
behavioral2/memory/2472-44-0x0000000004950000-0x0000000005980000-memory.dmp	upx
behavioral2/memory/2472-46-0x0000000004950000-0x0000000005980000-memory.dmp	upx
behavioral2/memory/2472-55-0x0000000004950000-0x0000000005980000-memory.dmp	upx
behavioral2/memory/2472-56-0x0000000004950000-0x0000000005980000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
File opened for modification	C:\Windows\Low	iexplore.exe
File created	C:\Windows\~DFF068013D52DB8329.TMP	iexplore.exe
File created	C:\Windows\~DF5FC40AA1148B9108.TMP	iexplore.exe
File created	C:\Windows\~DF9802212F85814368.TMP	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A~NSISu_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{75A49A7F-E3A7-11EF-8189-FEC9CAF5062B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "445514360"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ec9c09ee8d9ab846acecf8db7631dd810000000002000000000010660000000100002000000078a97141ebd6042389c414ad46a2a591e31d66f272cccc61fcdb23b480398ed2000000000e80000000020000200000002c2c42c17aac25a1c664f2fc4c9126b7b8d2e436cc079f1b97240e6205ecc7212000000004591fb65ca1b5710c5c37c63dad602a40e3a99766657975acad4890014a98d740000000ea5c6d46ed5034dee8a1282478d1464f070ea7ab6b35b4f1e2154575a06b36af694bcce0939e546989ea53200615740a822209883d5e64a80b7d3ef7016d608f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f8e54cb477db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60dff14cb477db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ec9c09ee8d9ab846acecf8db7631dd810000000002000000000010660000000100002000000064c6bedd1eab519d720f22014148dd26a13f72d72e656c0268cc99de09c92280000000000e8000000002000020000000550d2f062e90867baf670c0d26e1da4c17b2dc102ed9e66347ae6afa39f92f0c20000000fdad547ff85424d00e5a59aefeeaf937195973bc1b6bcdb3a17e57a2c9861286400000007c293f1cccec118e8ca993db6bb6b2bbf6d972b8a418fdc7e46e87724ca8ba4018a933bc281962723c761fd25799659dcf54bdf7585cffe7c32311f85bc6b36d	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
2472	A~NSISu_.exe
2472	A~NSISu_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Token: SeDebugPrivilege	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3392	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3392	iexplore.exe
3392	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 780	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	8
PID 3360 wrote to memory of 788	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	9
PID 3360 wrote to memory of 336	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	13
PID 3360 wrote to memory of 2976	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	49
PID 3360 wrote to memory of 3040	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	51
PID 3360 wrote to memory of 736	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	52
PID 3360 wrote to memory of 3408	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	55
PID 3360 wrote to memory of 1140	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	84
PID 3360 wrote to memory of 1140	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	84
PID 3360 wrote to memory of 1140	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	84
PID 3360 wrote to memory of 3588	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	57
PID 3360 wrote to memory of 3792	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	58
PID 3360 wrote to memory of 3888	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	59
PID 3360 wrote to memory of 3996	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	60
PID 3360 wrote to memory of 4092	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	61
PID 3360 wrote to memory of 4108	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	62
PID 3360 wrote to memory of 1364	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	75
PID 3360 wrote to memory of 812	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	76
PID 3360 wrote to memory of 1544	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	80
PID 3360 wrote to memory of 852	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	81
PID 3360 wrote to memory of 636	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	83
PID 3360 wrote to memory of 2472	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	86
PID 3360 wrote to memory of 2472	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	86
PID 3360 wrote to memory of 2472	3360	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe	86
PID 2472 wrote to memory of 780	2472	A~NSISu_.exe	8
PID 2472 wrote to memory of 788	2472	A~NSISu_.exe	9
PID 2472 wrote to memory of 336	2472	A~NSISu_.exe	13
PID 2472 wrote to memory of 5072	2472	A~NSISu_.exe	92
PID 2472 wrote to memory of 5072	2472	A~NSISu_.exe	92
PID 2472 wrote to memory of 5072	2472	A~NSISu_.exe	92
PID 2472 wrote to memory of 2976	2472	A~NSISu_.exe	49
PID 2472 wrote to memory of 3040	2472	A~NSISu_.exe	51
PID 2472 wrote to memory of 736	2472	A~NSISu_.exe	52
PID 2472 wrote to memory of 3408	2472	A~NSISu_.exe	55
PID 2472 wrote to memory of 3588	2472	A~NSISu_.exe	57
PID 2472 wrote to memory of 3792	2472	A~NSISu_.exe	58
PID 2472 wrote to memory of 3888	2472	A~NSISu_.exe	59
PID 2472 wrote to memory of 3996	2472	A~NSISu_.exe	60
PID 2472 wrote to memory of 4092	2472	A~NSISu_.exe	61
PID 2472 wrote to memory of 4108	2472	A~NSISu_.exe	62
PID 2472 wrote to memory of 1364	2472	A~NSISu_.exe	75
PID 2472 wrote to memory of 812	2472	A~NSISu_.exe	76
PID 2472 wrote to memory of 1544	2472	A~NSISu_.exe	80
PID 2472 wrote to memory of 2632	2472	A~NSISu_.exe	87
PID 2472 wrote to memory of 112	2472	A~NSISu_.exe	88
PID 2472 wrote to memory of 3392	2472	A~NSISu_.exe	94
PID 2472 wrote to memory of 3392	2472	A~NSISu_.exe	94
PID 3392 wrote to memory of 2596	3392	iexplore.exe	95
PID 3392 wrote to memory of 2596	3392	iexplore.exe	95
PID 3392 wrote to memory of 2596	3392	iexplore.exe	95

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	A~NSISu_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3040

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3360
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
    "C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - UAC bypass
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2472
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5072
  - - C:\Program Files\Internet Explorer\iexplore.exe
      -nohome http://picasa.google.com/support/bin/request.py?contact_type=uninstall&hl=en
      4⤵
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:2
        5⤵
        Detected potential entity reuse from brand GOOGLE.
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1364

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:812

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1544

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:852

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\4wu8kc2\imagestore.dat

Filesize
5KB

MD5
18a4222415a6b52ba57dfa625c90be4a

SHA1
048eaa72adf37de5fe5221b85009368a5a1cfbbb

SHA256
c83e65ceec9d62d6f9d50a508b5f221affb308bdb9d518d5dc5095f028214def

SHA512
6aa5b0246659a512bb1737c7f9e14367ddb337b1cb9bf2e18f28d543aa6e429f23a0a85ddbe7b96e19e534be2c47b2ab4719645e4e66340794613ff2483476e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2S25UHZ1\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F4VLIMJ5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FZBC1AEJ\analytics[1].js

Filesize
51KB

MD5
575b5480531da4d14e7453e2016fe0bc

SHA1
e5c5f3134fe29e60b591c87ea85951f0aea36ee1

SHA256
de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

SHA512
174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E57BE8D_Rar\A~NSISu_.exe

Filesize
126KB

MD5
e0a6135796ba57d50b38d4df8e6dfc9e

SHA1
6f497299b34f9ef779fbe4e7b9b209c760faae41

SHA256
0b0a7903527cf2ce868294311c7c060969a81428413ae6d6b9a6dba1976dcfa6

SHA512
f2cd6bd6abe19ddd75133a9a10f7bbb2ff7299fa3c2fc3c6d212b86f2db4d04ea10311cca432f849d211e9baab2e6f147c5928f91dad0198e79e9b050740d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

Filesize
194KB

MD5
9e6c22af0433a806517fafc0e83e1574

SHA1
1c9bb427aa29e8be2c4258bc1393fed578841172

SHA256
dff10f255546c9373ba738c152c10251460ccd5212020aa8fa9cdf87b4eab0cc

SHA512
2136c548e24a2f0f316a97d21504e94b5c9057188546819ac5006c075537c90513c7deb389fd2273f2096aa80bc32be1c2d5c8e9ef86b670ef579d341123933c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEAE.tmp\InstallOptions.dll

Filesize
12KB

MD5
4c7d97d0786ff08b20d0e8315b5fc3cb

SHA1
bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c

SHA256
75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84

SHA512
f37093fd5cdda74d8f7376c60a05b442f884e9d370347c7c39d84eca88f23fbea6221da2e57197acd78c817a74703c49fb28b89d41c3e34817cc9301b0b6485a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEAE.tmp\NSIS_Picasa.dll

Filesize
54KB

MD5
34f94d6258185a13001e9a2c5860a708

SHA1
c0b69518e071f5c3b30721ad77d46da59ee75eee

SHA256
9524254f539e007bf57494d797ab24ad7659cab1df4b2164e1c0d688b2b53d23

SHA512
3dfbbc938b5922cf1b99264f9f654f2cf826ab9d66e5aa2581a99d49c5ee54f7b9337cc4f7a5835ae471537ee77c9b86a249c9425c407dbdf959529f7d04608f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEAE.tmp\ioSpecial.ini

Filesize
505B

MD5
6948d28e9b94dd6f082025ddad358aeb

SHA1
c5184cf05311a119f5583a0a8fa051feccac2337

SHA256
d67b114bfbfaa4c5ca3f8d7e2ae8e014890913b16a116213274fb414fc221f03

SHA512
e023856212857e0f6ed671b0ec2a6268e8d7465236ddae2fe2e987921ed0043bd1eee421e87d4b9b6b2fc35945e0f11f9f814de4e11574184e5ad787a8b3de87

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
b0a1e09b80d3eb9efd643aeecb254bfb

SHA1
89892f7d4c8105b313ea561051abe88d89c509d6

SHA256
7c8c025f11172bc7374beacfbcfae1809dac4ee206c8ec82c416788c2ae640dc

SHA512
901706cd4149ba5e5c70ae204251ffc2fab149b31c68991dc85c50c0215952303077b47bc05da4528f80669760ca2f35372ff849683c177368ad5474aaa9ae7d

Download Submit
memory/2472-46-0x0000000004950000-0x0000000005980000-memory.dmp

Filesize
16.2MB

Download
memory/2472-44-0x0000000004950000-0x0000000005980000-memory.dmp

Filesize
16.2MB

Download
memory/2472-51-0x0000000002380000-0x0000000002382000-memory.dmp

Filesize
8KB

Download
memory/2472-245-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2472-50-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2472-42-0x0000000004950000-0x0000000005980000-memory.dmp

Filesize
16.2MB

Download
memory/2472-54-0x0000000002380000-0x0000000002382000-memory.dmp

Filesize
8KB

Download
memory/2472-25-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2472-56-0x0000000004950000-0x0000000005980000-memory.dmp

Filesize
16.2MB

Download
memory/2472-55-0x0000000004950000-0x0000000005980000-memory.dmp

Filesize
16.2MB

Download
memory/3360-4-0x00000000023B0000-0x00000000033E0000-memory.dmp

Filesize
16.2MB

Download
memory/3360-30-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3360-1-0x00000000023B0000-0x00000000033E0000-memory.dmp

Filesize
16.2MB

Download
memory/3360-9-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/3360-12-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/3360-13-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/3360-8-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/3360-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3360-21-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/3360-26-0x00000000023B0000-0x00000000033E0000-memory.dmp

Filesize
16.2MB

Download