Analysis
-
max time kernel
35s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 07:56
Behavioral task
behavioral1
Sample
JaffaCakes118_5138877efb91add1428054d9237682a4.exe
Resource
win7-20241010-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_5138877efb91add1428054d9237682a4.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
JaffaCakes118_5138877efb91add1428054d9237682a4.exe
-
Size
725KB
-
MD5
5138877efb91add1428054d9237682a4
-
SHA1
36d87f02177b179c960fdd5f35c374fd8b8bce36
-
SHA256
881c0ae199ff540027f700b966203eca1995c2a6f26d15ffb7ef659fb24716fa
-
SHA512
47ef1398c5eadfaf76ed12dd8ecc4353ebec02d0ea86b6361c1e2741d0dfb5297ca5e69877dd381a65f929db9e797f8866fe0ecf768d3612ab1529e30e2cd8da
-
SSDEEP
12288:r6JaPehDSsMuGIC0WoFlwe25Ef50MQdVahkfz5T+92fHz6:GOALMJ4Dwe25EfuMQbYkfJi2b6
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CoolReader.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CoolReader.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" CoolReader.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 536 netsh.exe 1304 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation JaffaCakes118_5138877efb91add1428054d9237682a4.exe -
Deletes itself 1 IoCs
pid Process 3116 CoolReader.exe -
Executes dropped EXE 1 IoCs
pid Process 3116 CoolReader.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" CoolReader.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc CoolReader.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" CoolReader.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CoolReader.exe -
resource yara_rule behavioral2/memory/3188-0-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-3-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-2-0x00000000024F0000-0x000000000351E000-memory.dmp upx behavioral2/memory/3188-8-0x00000000024F0000-0x000000000351E000-memory.dmp upx behavioral2/memory/3188-17-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-16-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-15-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-18-0x00000000024F0000-0x000000000351E000-memory.dmp upx behavioral2/memory/3188-26-0x00000000024F0000-0x000000000351E000-memory.dmp upx behavioral2/memory/3188-25-0x00000000024F0000-0x000000000351E000-memory.dmp upx behavioral2/memory/3188-31-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/files/0x000500000001e435-40.dat upx behavioral2/memory/3188-45-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-49-0x00000000024F0000-0x000000000351E000-memory.dmp upx behavioral2/memory/3116-64-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3188-80-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3116-81-0x0000000004AB0000-0x0000000005ADE000-memory.dmp upx behavioral2/memory/3116-96-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3116-95-0x0000000000400000-0x00000000005E8000-memory.dmp upx behavioral2/memory/3116-86-0x0000000004AB0000-0x0000000005ADE000-memory.dmp upx behavioral2/memory/3116-83-0x0000000004AB0000-0x0000000005ADE000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Cool PDF Reader\CoolReader.exe JaffaCakes118_5138877efb91add1428054d9237682a4.exe File opened for modification C:\Program Files\Cool PDF Reader\CoolReader.exe JaffaCakes118_5138877efb91add1428054d9237682a4.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe JaffaCakes118_5138877efb91add1428054d9237682a4.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe CoolReader.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_5138877efb91add1428054d9237682a4.exe File created C:\Windows\CoolRead.ini JaffaCakes118_5138877efb91add1428054d9237682a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5138877efb91add1428054d9237682a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoolReader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 3116 CoolReader.exe 3116 CoolReader.exe 3116 CoolReader.exe 3116 CoolReader.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe Token: SeDebugPrivilege 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3188 wrote to memory of 536 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 85 PID 3188 wrote to memory of 536 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 85 PID 3188 wrote to memory of 536 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 85 PID 3188 wrote to memory of 796 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 9 PID 3188 wrote to memory of 804 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 10 PID 3188 wrote to memory of 384 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 13 PID 3188 wrote to memory of 2904 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 50 PID 3188 wrote to memory of 2964 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 52 PID 3188 wrote to memory of 2760 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 53 PID 3188 wrote to memory of 3428 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 57 PID 3188 wrote to memory of 3552 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 58 PID 3188 wrote to memory of 3736 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 59 PID 3188 wrote to memory of 3892 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 60 PID 3188 wrote to memory of 3964 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 61 PID 3188 wrote to memory of 4048 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 62 PID 3188 wrote to memory of 2956 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 75 PID 3188 wrote to memory of 2872 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 77 PID 3188 wrote to memory of 716 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 82 PID 3188 wrote to memory of 4668 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 83 PID 3188 wrote to memory of 536 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 85 PID 3188 wrote to memory of 536 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 85 PID 3188 wrote to memory of 4008 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 86 PID 3188 wrote to memory of 796 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 9 PID 3188 wrote to memory of 804 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 10 PID 3188 wrote to memory of 384 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 13 PID 3188 wrote to memory of 2904 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 50 PID 3188 wrote to memory of 2964 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 52 PID 3188 wrote to memory of 2760 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 53 PID 3188 wrote to memory of 3428 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 57 PID 3188 wrote to memory of 3552 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 58 PID 3188 wrote to memory of 3736 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 59 PID 3188 wrote to memory of 3892 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 60 PID 3188 wrote to memory of 3964 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 61 PID 3188 wrote to memory of 4048 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 62 PID 3188 wrote to memory of 2956 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 75 PID 3188 wrote to memory of 2872 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 77 PID 3188 wrote to memory of 716 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 82 PID 3188 wrote to memory of 4668 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 83 PID 3188 wrote to memory of 3668 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 88 PID 3188 wrote to memory of 2516 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 89 PID 3188 wrote to memory of 900 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 90 PID 3188 wrote to memory of 3116 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 96 PID 3188 wrote to memory of 3116 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 96 PID 3188 wrote to memory of 3116 3188 JaffaCakes118_5138877efb91add1428054d9237682a4.exe 96 PID 3116 wrote to memory of 1304 3116 CoolReader.exe 99 PID 3116 wrote to memory of 1304 3116 CoolReader.exe 99 PID 3116 wrote to memory of 1304 3116 CoolReader.exe 99 PID 3116 wrote to memory of 796 3116 CoolReader.exe 9 PID 3116 wrote to memory of 804 3116 CoolReader.exe 10 PID 3116 wrote to memory of 384 3116 CoolReader.exe 13 PID 3116 wrote to memory of 2904 3116 CoolReader.exe 50 PID 3116 wrote to memory of 2964 3116 CoolReader.exe 52 PID 3116 wrote to memory of 2760 3116 CoolReader.exe 53 PID 3116 wrote to memory of 3428 3116 CoolReader.exe 57 PID 3116 wrote to memory of 3552 3116 CoolReader.exe 58 PID 3116 wrote to memory of 3736 3116 CoolReader.exe 59 PID 3116 wrote to memory of 3892 3116 CoolReader.exe 60 PID 3116 wrote to memory of 3964 3116 CoolReader.exe 61 PID 3116 wrote to memory of 4048 3116 CoolReader.exe 62 PID 3116 wrote to memory of 2956 3116 CoolReader.exe 75 PID 3116 wrote to memory of 2872 3116 CoolReader.exe 77 PID 3116 wrote to memory of 4668 3116 CoolReader.exe 83 PID 3116 wrote to memory of 3668 3116 CoolReader.exe 88 PID 3116 wrote to memory of 2516 3116 CoolReader.exe 89 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5138877efb91add1428054d9237682a4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" CoolReader.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2964
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2760
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5138877efb91add1428054d9237682a4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5138877efb91add1428054d9237682a4.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3188 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4008
-
-
-
C:\Program Files\Cool PDF Reader\CoolReader.exe"C:\Program Files\Cool PDF Reader\CoolReader.exe"3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3116 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1304
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3552
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3964
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4048
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2872
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:716
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:900
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
725KB
MD55138877efb91add1428054d9237682a4
SHA136d87f02177b179c960fdd5f35c374fd8b8bce36
SHA256881c0ae199ff540027f700b966203eca1995c2a6f26d15ffb7ef659fb24716fa
SHA51247ef1398c5eadfaf76ed12dd8ecc4353ebec02d0ea86b6361c1e2741d0dfb5297ca5e69877dd381a65f929db9e797f8866fe0ecf768d3612ab1529e30e2cd8da
-
Filesize
257B
MD5896079212671ba8c0051473f346c8fd0
SHA1f2aa35f8de98c0c6dc46274957e0e31f0b67ccf5
SHA256b34626f4c3c095bd87541f29d1b720a4e17572b8403376adca623facb2df6302
SHA512f21550e92b4e2feb7905cc6519aba4b7c75f6c4c92126257066d82c81df221d6daeb577d1b3dc0ad1fb46e919f5d8b6d28a064124fb47bd599fe0fc2dcda9494