Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2025 18:18
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
General
-
Target
JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe
-
Size
213KB
-
MD5
a25d39cd9f979698481de64c4a15a42f
-
SHA1
8d2e8ca781c7c801abaf6c7461c8a3f9fb2531c5
-
SHA256
34f7393ce8f0dacef0632a287ffef5c8415bcf5c1a55749a1bf71ce2a8457a56
-
SHA512
a572d0aeceb103e50896c072b098ee040d7138b0779bd2a080ff9b5a6c21162cfe6f592f4886dbc64cc2a56294606daabd5dd057f067b59eef53b30c165a8ed3
-
SSDEEP
3072:5gXdZZ9P6D3XJUExrH3NQSnwRcWYEV1s78ZzoMwZrx0MXSzb2GVBY1srLQcZjmEe:5eb4FdXa3RBhS785oMEx0RqMuSrsim7
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
Loads dropped DLL 5 IoCs
pid Process 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
resource yara_rule behavioral2/memory/1836-8-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-6-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-3-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-37-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-39-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-62-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-65-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-86-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-87-0x0000000002580000-0x00000000035B0000-memory.dmp upx behavioral2/memory/1836-95-0x0000000002580000-0x00000000035B0000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe Token: SeDebugPrivilege 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1836 wrote to memory of 772 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 8 PID 1836 wrote to memory of 780 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 9 PID 1836 wrote to memory of 1016 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 13 PID 1836 wrote to memory of 2704 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 49 PID 1836 wrote to memory of 2852 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 50 PID 1836 wrote to memory of 2964 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 51 PID 1836 wrote to memory of 3376 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 56 PID 1836 wrote to memory of 3476 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 57 PID 1836 wrote to memory of 3724 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 58 PID 1836 wrote to memory of 3816 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 59 PID 1836 wrote to memory of 3888 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 60 PID 1836 wrote to memory of 3976 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 61 PID 1836 wrote to memory of 4156 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 62 PID 1836 wrote to memory of 4512 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 64 PID 1836 wrote to memory of 1400 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 76 PID 1836 wrote to memory of 2944 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 83 PID 1836 wrote to memory of 3568 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 84 PID 1836 wrote to memory of 772 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 8 PID 1836 wrote to memory of 780 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 9 PID 1836 wrote to memory of 1016 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 13 PID 1836 wrote to memory of 2704 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 49 PID 1836 wrote to memory of 2852 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 50 PID 1836 wrote to memory of 2964 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 51 PID 1836 wrote to memory of 3376 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 56 PID 1836 wrote to memory of 3476 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 57 PID 1836 wrote to memory of 3724 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 58 PID 1836 wrote to memory of 3816 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 59 PID 1836 wrote to memory of 3888 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 60 PID 1836 wrote to memory of 3976 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 61 PID 1836 wrote to memory of 4156 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 62 PID 1836 wrote to memory of 4512 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 64 PID 1836 wrote to memory of 1400 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 76 PID 1836 wrote to memory of 2944 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 83 PID 1836 wrote to memory of 3604 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 87 PID 1836 wrote to memory of 4244 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 88 PID 1836 wrote to memory of 772 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 8 PID 1836 wrote to memory of 780 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 9 PID 1836 wrote to memory of 1016 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 13 PID 1836 wrote to memory of 2704 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 49 PID 1836 wrote to memory of 2852 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 50 PID 1836 wrote to memory of 2964 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 51 PID 1836 wrote to memory of 3376 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 56 PID 1836 wrote to memory of 3476 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 57 PID 1836 wrote to memory of 3724 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 58 PID 1836 wrote to memory of 3816 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 59 PID 1836 wrote to memory of 3888 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 60 PID 1836 wrote to memory of 3976 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 61 PID 1836 wrote to memory of 4156 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 62 PID 1836 wrote to memory of 4512 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 64 PID 1836 wrote to memory of 1400 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 76 PID 1836 wrote to memory of 2944 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 83 PID 1836 wrote to memory of 3604 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 87 PID 1836 wrote to memory of 4244 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 88 PID 1836 wrote to memory of 1224 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 100 PID 1836 wrote to memory of 1224 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 100 PID 1836 wrote to memory of 1224 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 100 PID 1836 wrote to memory of 1224 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 100 PID 1836 wrote to memory of 3300 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 101 PID 1836 wrote to memory of 3300 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 101 PID 1836 wrote to memory of 3300 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 101 PID 1836 wrote to memory of 3300 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 101 PID 1836 wrote to memory of 4172 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 102 PID 1836 wrote to memory of 4172 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 102 PID 1836 wrote to memory of 4172 1836 JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe 102 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2852
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2964
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a25d39cd9f979698481de64c4a15a42f.exe"2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1836 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1224
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:3300
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:4172
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:720
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:3508
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3476
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4512
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1400
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2944
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3604
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4244
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1164
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD536d9e8bc3a9e1dccb5f7b014af5d3d62
SHA10ebcf5a86f67f4816aa2ece749bfa7fca5ab9d1f
SHA256a45abaf024423904f6997c83caec3d2c4165eba52a7feaff993509e8e2867d82
SHA512d67d328ee8930547acce321772d1516840f195764905412fbc6d9579d0e447371c2b17402d3ea3f6f8e38229174091bf7bbb470fc7e6153aff69a55162afa4ae
-
Filesize
32KB
MD5d6825856fc7f9b6219d347de6e52d501
SHA1faef26b7f2be8a68826b0e357d8aa338e81a3c22
SHA25696eec87919546a72fbc6c4641f9833ef23e3de4ccae7f8926f9008b7a31e6ff8
SHA5123dcfade9f4bca1370ceeca7f63fd05cc86bfb2fe71ba8abf6550b5fff30dce308f735be40bd8b99fdd69c7f707fb2e8c8fda1b0d3e8b7463f344d3d5a374a55b
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
4KB
MD51e8e11f465afdabe97f529705786b368
SHA1ea42bed65df6618c5f5648567d81f3935e70a2a0
SHA2567d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b
SHA51216566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b
-
Filesize
9KB
MD5ab73c0c2a23f913eabdc4cb24b75cbad
SHA16569d2863d54c88dcf57c843fc310f6d9571a41e
SHA2563d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457
SHA51299d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8
