Analysis
-
max time kernel
20s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
26/02/2025, 20:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe
-
Size
292KB
-
MD5
285cebbc3f15e5f98fd569c88ef88b60
-
SHA1
63e29c8ef0595908a0b3b97fc20a6cab80640a93
-
SHA256
5600f1f50e6971e997b489a53a9741c2e474606739fa9482fbc847cbccb92912
-
SHA512
1544c4dee90ac72e494a1e55c54dad63cf8fbe90731bec8601fb2925cecfc2709399bd3d12c868828b5ae9ee3821c68c179480e44787f665ac020cd0272d87fc
-
SSDEEP
6144:cvEF2U+T6i5LirrllHy4HUcMQY6nyLTepUZPun0CX:uEFN+T5xYrllrU7QY6yLTEnh
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Bazaloader family
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.
resource yara_rule behavioral2/memory/1636-139-0x0000000000400000-0x0000000000442000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Deletes itself 1 IoCs
pid Process 4556 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4556 explorer.exe 3996 spoolsv.exe 1636 svchost.exe 1068 spoolsv.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\I: explorer.exe -
resource yara_rule behavioral2/memory/2876-6-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/2876-58-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/2876-10-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/2876-4-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/2876-5-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/2876-3-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/2876-7-0x0000000002AD0000-0x0000000003B5E000-memory.dmp upx behavioral2/memory/4556-62-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-68-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-72-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-69-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-63-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-73-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-75-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-74-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-60-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-76-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-77-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-78-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-79-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-80-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-82-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-83-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-84-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-86-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-87-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-89-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-91-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-94-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-96-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-99-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-100-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-102-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-104-0x0000000003500000-0x000000000458E000-memory.dmp upx behavioral2/memory/4556-106-0x0000000003500000-0x000000000458E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe 1636 svchost.exe 1636 svchost.exe 4556 explorer.exe 4556 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4556 explorer.exe 1636 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Token: SeDebugPrivilege 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 4556 explorer.exe 4556 explorer.exe 3996 spoolsv.exe 3996 spoolsv.exe 1636 svchost.exe 1636 svchost.exe 1068 spoolsv.exe 1068 spoolsv.exe 4556 explorer.exe 4556 explorer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2876 wrote to memory of 788 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 9 PID 2876 wrote to memory of 792 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 10 PID 2876 wrote to memory of 60 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 13 PID 2876 wrote to memory of 2688 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 44 PID 2876 wrote to memory of 2716 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 45 PID 2876 wrote to memory of 2940 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 51 PID 2876 wrote to memory of 3440 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 56 PID 2876 wrote to memory of 3564 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 57 PID 2876 wrote to memory of 3760 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 58 PID 2876 wrote to memory of 3852 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 59 PID 2876 wrote to memory of 3920 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 60 PID 2876 wrote to memory of 4008 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 61 PID 2876 wrote to memory of 3792 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 62 PID 2876 wrote to memory of 4880 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 75 PID 2876 wrote to memory of 1464 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 76 PID 2876 wrote to memory of 3284 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 77 PID 2876 wrote to memory of 3484 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 78 PID 2876 wrote to memory of 2648 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 83 PID 2876 wrote to memory of 1824 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 84 PID 2876 wrote to memory of 4556 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 86 PID 2876 wrote to memory of 4556 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 86 PID 2876 wrote to memory of 4556 2876 JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe 86 PID 4556 wrote to memory of 3996 4556 explorer.exe 87 PID 4556 wrote to memory of 3996 4556 explorer.exe 87 PID 4556 wrote to memory of 3996 4556 explorer.exe 87 PID 3996 wrote to memory of 1636 3996 spoolsv.exe 88 PID 3996 wrote to memory of 1636 3996 spoolsv.exe 88 PID 3996 wrote to memory of 1636 3996 spoolsv.exe 88 PID 1636 wrote to memory of 1068 1636 svchost.exe 89 PID 1636 wrote to memory of 1068 1636 svchost.exe 89 PID 1636 wrote to memory of 1068 1636 svchost.exe 89 PID 1636 wrote to memory of 4172 1636 svchost.exe 91 PID 1636 wrote to memory of 4172 1636 svchost.exe 91 PID 1636 wrote to memory of 4172 1636 svchost.exe 91 PID 4556 wrote to memory of 788 4556 explorer.exe 9 PID 4556 wrote to memory of 792 4556 explorer.exe 10 PID 4556 wrote to memory of 60 4556 explorer.exe 13 PID 4556 wrote to memory of 2688 4556 explorer.exe 44 PID 4556 wrote to memory of 2716 4556 explorer.exe 45 PID 4556 wrote to memory of 2940 4556 explorer.exe 51 PID 4556 wrote to memory of 3440 4556 explorer.exe 56 PID 4556 wrote to memory of 3564 4556 explorer.exe 57 PID 4556 wrote to memory of 3760 4556 explorer.exe 58 PID 4556 wrote to memory of 3852 4556 explorer.exe 59 PID 4556 wrote to memory of 3920 4556 explorer.exe 60 PID 4556 wrote to memory of 4008 4556 explorer.exe 61 PID 4556 wrote to memory of 3792 4556 explorer.exe 62 PID 4556 wrote to memory of 4880 4556 explorer.exe 75 PID 4556 wrote to memory of 1464 4556 explorer.exe 76 PID 4556 wrote to memory of 3284 4556 explorer.exe 77 PID 4556 wrote to memory of 3484 4556 explorer.exe 78 PID 4556 wrote to memory of 2648 4556 explorer.exe 83 PID 4556 wrote to memory of 1824 4556 explorer.exe 84 PID 4556 wrote to memory of 1636 4556 explorer.exe 88 PID 4556 wrote to memory of 1636 4556 explorer.exe 88 PID 4556 wrote to memory of 4132 4556 explorer.exe 93 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2716
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2940
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_285cebbc3f15e5f98fd569c88ef88b60.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Windows\SysWOW64\at.exeat 20:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4172
-
-
C:\Windows\SysWOW64\at.exeat 20:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2576
-
-
C:\Windows\SysWOW64\at.exeat 20:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:4548
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵PID:2228
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3792
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1464
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3284
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3484
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2648
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4132
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:2744
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:2060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD59c4b7dba689b8cd9c92fa9d3c8ceddf6
SHA15c9cfbedf86a1f25e023432a8fc85ebee44c571e
SHA25670b17d9bcebfcda7cc42cccc078d41142189c8ccd308ba0bcac9189fca711741
SHA5128297f961fc6ec3d6f901fffe6ee9174944eb2e13eafa6e350d27f30acaa4bd8c9206f68f250098995f1bc966b952a406f004a89d4ca9e57566027bfadf83ebf3
-
Filesize
257B
MD59ceb8559908912f3c27d4cff3847e494
SHA1069c7af5134a266fe72133c833cc3cb4bbdf1424
SHA2563739f35070b53b9f5bcbf8a87bf8f30fc14c6032b7d1e6a34d6483d87faf20d4
SHA512d21a4138cd5f6cf1ef6208e6489c2016cc815127ee2bd0e915a3c5ba89ec0552ef6dc8e94123e5e146d5665187d5f79896e758b42beaa90de7263fc199c7d9de
-
Filesize
292KB
MD5236ef45588890cedcb6a2edf1d1f58c2
SHA1563ac74e2974ccbe65708027febd81f0f4151476
SHA2562bfdc3eb0861a622384bfe9cc515a4de132469ba9d12c8c717ffe3ab99c3e231
SHA5120e7a01c437c2bf3dc29b045c74ca593d265b639588ce5993a7eebfd23106e0082233b6bcd1b792ccbf367b0eddcb74a3b5dc128d8b785c8ccd5bd2207ce910dc
-
Filesize
292KB
MD5299096252fa1d87d667dc7e3cbb03903
SHA1b1522ec62a6e70199f3e670e4a60c30b3a3a36c5
SHA2562f32ff0d647112b58f70423bdba5969a19db28dd4ec0c1cb1081322134c3ba8d
SHA5128af653032557751d4d277994e6a24168761818b83beedba7f72fc714f56e53b3ed03039176b583dd27f29f700ca4c3b8aa8d0bc42fd07daa6d3a34a86dcefa2c
-
Filesize
292KB
MD5582a394e7f318df49377f84b6bc2811f
SHA1d3f002c6d7979310273eb10e1c367d5ce3f3673b
SHA256b32ba468755d439ad9e9eb4fa7c94956bda478f8fba23955fb5ba02c02169945
SHA512ad4617c5bfb32568dcedb59b060e77a384f5ec588b4af44a699f89dc6ba78617b3afd44ac444667ffd78eba7339cb1684eea512afe0f4b4d575c4e7bb975dda2
-
Filesize
96KB
MD5f583e3533e42590cc47c2af9b1ca021e
SHA16135835edca4adbede65eb4e8a8077ff26e1d672
SHA256b9f441e5f30af4262b1e829314290091cb162db40e0cf3e1549d6eb1a5362c34
SHA512c9f148c301b403cc5b2fcf2126edbb01acfdd5e90c3bc72ca1a3fb31033b62f1b16f618cb9cb20066a18c9eaa0e4f202e0fb2815e266aae5cdb7117c13ee2ae7