Analysis
-
max time kernel
23s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/02/2025, 20:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe
-
Size
292KB
-
MD5
285cebbc3f15e5f98fd569c88ef88b60
-
SHA1
63e29c8ef0595908a0b3b97fc20a6cab80640a93
-
SHA256
5600f1f50e6971e997b489a53a9741c2e474606739fa9482fbc847cbccb92912
-
SHA512
1544c4dee90ac72e494a1e55c54dad63cf8fbe90731bec8601fb2925cecfc2709399bd3d12c868828b5ae9ee3821c68c179480e44787f665ac020cd0272d87fc
-
SSDEEP
6144:cvEF2U+T6i5LirrllHy4HUcMQY6nyLTepUZPun0CX:uEFN+T5xYrllrU7QY6yLTEnh
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Bazaloader family
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.
resource yara_rule behavioral1/memory/2812-80-0x0000000000400000-0x0000000000442000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Deletes itself 1 IoCs
pid Process 2896 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2896 explorer.exe 2644 spoolsv.exe 2812 svchost.exe 2512 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2896 explorer.exe 2896 explorer.exe 2644 spoolsv.exe 2644 spoolsv.exe 2812 svchost.exe 2812 svchost.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\E: JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe -
resource yara_rule behavioral1/memory/2384-12-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-11-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-10-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-9-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-8-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-13-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-43-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-44-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-45-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-52-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-64-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-68-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-78-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-53-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2384-114-0x0000000002850000-0x00000000038DE000-memory.dmp upx behavioral1/memory/2896-116-0x00000000037E0000-0x000000000486E000-memory.dmp upx behavioral1/memory/2896-120-0x00000000037E0000-0x000000000486E000-memory.dmp upx behavioral1/memory/2896-121-0x00000000037E0000-0x000000000486E000-memory.dmp upx behavioral1/memory/2896-119-0x00000000037E0000-0x000000000486E000-memory.dmp upx behavioral1/memory/2896-118-0x00000000037E0000-0x000000000486E000-memory.dmp upx behavioral1/memory/2896-122-0x00000000037E0000-0x000000000486E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2896 explorer.exe 2812 svchost.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2812 svchost.exe 2896 explorer.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe 2812 svchost.exe 2896 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2896 explorer.exe 2812 svchost.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe Token: SeDebugPrivilege 2896 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2896 explorer.exe 2896 explorer.exe 2644 spoolsv.exe 2644 spoolsv.exe 2812 svchost.exe 2812 svchost.exe 2512 spoolsv.exe 2512 spoolsv.exe 2896 explorer.exe 2896 explorer.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2896 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 28 PID 2384 wrote to memory of 2896 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 28 PID 2384 wrote to memory of 2896 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 28 PID 2384 wrote to memory of 2896 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 28 PID 2384 wrote to memory of 1108 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 19 PID 2384 wrote to memory of 1160 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 20 PID 2384 wrote to memory of 1204 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 21 PID 2384 wrote to memory of 1664 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 23 PID 2384 wrote to memory of 2896 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 28 PID 2384 wrote to memory of 2896 2384 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 28 PID 2896 wrote to memory of 2644 2896 explorer.exe 29 PID 2896 wrote to memory of 2644 2896 explorer.exe 29 PID 2896 wrote to memory of 2644 2896 explorer.exe 29 PID 2896 wrote to memory of 2644 2896 explorer.exe 29 PID 2644 wrote to memory of 2812 2644 spoolsv.exe 30 PID 2644 wrote to memory of 2812 2644 spoolsv.exe 30 PID 2644 wrote to memory of 2812 2644 spoolsv.exe 30 PID 2644 wrote to memory of 2812 2644 spoolsv.exe 30 PID 2812 wrote to memory of 2512 2812 svchost.exe 31 PID 2812 wrote to memory of 2512 2812 svchost.exe 31 PID 2812 wrote to memory of 2512 2812 svchost.exe 31 PID 2812 wrote to memory of 2512 2812 svchost.exe 31 PID 2812 wrote to memory of 1740 2812 svchost.exe 32 PID 2812 wrote to memory of 1740 2812 svchost.exe 32 PID 2812 wrote to memory of 1740 2812 svchost.exe 32 PID 2812 wrote to memory of 1740 2812 svchost.exe 32 PID 2896 wrote to memory of 1108 2896 explorer.exe 19 PID 2896 wrote to memory of 1160 2896 explorer.exe 20 PID 2896 wrote to memory of 1204 2896 explorer.exe 21 PID 2896 wrote to memory of 1664 2896 explorer.exe 23 PID 2896 wrote to memory of 2812 2896 explorer.exe 30 PID 2896 wrote to memory of 2812 2896 explorer.exe 30 PID 2896 wrote to memory of 1108 2896 explorer.exe 19 PID 2896 wrote to memory of 1160 2896 explorer.exe 20 PID 2896 wrote to memory of 1204 2896 explorer.exe 21 PID 2896 wrote to memory of 1664 2896 explorer.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Windows\SysWOW64\at.exeat 20:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD551a88f7074b4eccc9e2adcd724d4b602
SHA1454567a19d370fe4d4ada119613a167c6ad6e147
SHA25650d515dc022eab7f396aa6f7a738e7dcf4cc9c4c79279cb3e341cd48807633c1
SHA512439ba32eeed0b7e081fbeef31b546978cee3350f532e96bd04cbc6a688081feaaf649e86f5b78d2a33df03beb5f43c386c69bb970ad4e043156e5377c06a2a53
-
Filesize
256B
MD518d0233f3a3011d65d5d34f3a9e799bb
SHA1d8e0a352a104d4350fe5d50577c3acd0d740a619
SHA256e50dd533894122e37f4ad4c0a07baf495255ab1a822861c7e4e2a5433a478687
SHA5128390622d22547c976e47f1a35e60427a979d3b77d7a785fed8de7b3224323b91c7597874aff02131eb776a128b35fd740e7f7e2a231008e37d86aad3f52f751c
-
Filesize
292KB
MD58dff6fd83394ca268ab45c733309861f
SHA152a53897715a5f4afe617bd6b8855797c3ceab8e
SHA256f67700763e5d66f58259ed92740d41184a5af2bf36a098df3461af53738ee5b7
SHA512622f6f2a2609ec574230fc75e0096d47858bb7e71a3839cf2f62aed932c14f2dccce6befd9eb9fe785472cff86f3335ec0e286d96abc4d2642cf27126b142d6e
-
Filesize
292KB
MD53ae356b249af486bfecfed6a43186548
SHA1fe80151bdb30cbf58a04352182a812d24a8ac849
SHA25682c954c2f0f42496eb8f91a9b49f99c4036b05e14095b8bddfaf27c149f8e2da
SHA5123dc809192f792e950cd030fea334de33e02a568675790bda1c655cb79340629268cabd68a12ca9f750442e8a74b041692fc1dde655074a91af8369830c7e6fa1
-
Filesize
96KB
MD53a0c27c7524ff23deae632096ff14073
SHA1302fef487e7b9bcd231edcbd941aca01ca506cd3
SHA2569407c0d4f2577ef4a73a17c5ebc01de54ff3110fb405d72a829b3effec99f4eb
SHA512e9a778ffc8afa4189ae1f215fcf5aa276cd6d5a971201634ead1f71e3e8cbf752fac44d0cb99967aa5bf0286c4475cfae83aae40796d13cf0dd72020c7e6245c
-
Filesize
292KB
MD535645672f91ea9277bb19f1bace0079e
SHA1ebac491250bf3195a5494df4c9c33041ba287a7d
SHA256dbd8500c55a4421c9035119da2a7f9917a5e6597e6f0c2ac83b04dc223e86291
SHA512913dd841c6c9acbebd0f527ebcda28799254379b05fd0280f59ad2c3f86eb02b432646f9678818af2c6aaba4fef265bc02bbbf20858023649dd7c84afa161dcd