Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe
-
Size
127KB
-
MD5
5173b99c37650e6180243bff6983d7af
-
SHA1
3886d764b35191a85ed288b5a4630dea01a1b5e5
-
SHA256
28f5079cfa1c703654d4c9698b83f7983ac20930d976643af00bab8cc6b9523f
-
SHA512
aa7a71f97a86951233067a7c1815cd485e5c63dbde6c27bb557c3e77f56d58ad9f698f5e8e8a0339e3f80b2e819d29accc7a940de27c20dfe2c783ec150bddd7
-
SSDEEP
3072:2uDYC6NYrl1u9Yaq8vVro3iwNkLbO4Zj3xrSdJOLOjbC7Vsn4ax:2ukvNkl1Cq8NEe7UdoLO+sn4a
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Disables Task Manager via registry modification
-
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\K: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\Q: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\S: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\T: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\W: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\X: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\I: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\L: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\N: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\P: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\R: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\U: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\V: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\Y: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\E: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\J: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\O: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\Z: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\G: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened (read-only) \??\M: JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification F:\autorun.inf JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
resource yara_rule behavioral2/memory/2132-1-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-3-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-4-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-5-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-9-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-13-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-11-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-8-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-14-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-15-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-16-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-17-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-18-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-19-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-21-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-22-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-24-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-25-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-28-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-29-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-32-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-33-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-35-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-37-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-40-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-42-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-43-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-44-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-46-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-47-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-48-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-55-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-56-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-59-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-60-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-61-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-62-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-64-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2132-65-0x00000000022B0000-0x000000000333E000-memory.dmp upx -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe Token: SeDebugPrivilege 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 8 PID 2132 wrote to memory of 784 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 9 PID 2132 wrote to memory of 380 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 13 PID 2132 wrote to memory of 2644 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 44 PID 2132 wrote to memory of 2656 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 45 PID 2132 wrote to memory of 2788 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 48 PID 2132 wrote to memory of 3484 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 55 PID 2132 wrote to memory of 3664 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 57 PID 2132 wrote to memory of 3856 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 58 PID 2132 wrote to memory of 1044 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 59 PID 2132 wrote to memory of 2776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 60 PID 2132 wrote to memory of 2356 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 61 PID 2132 wrote to memory of 3720 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 62 PID 2132 wrote to memory of 5108 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 64 PID 2132 wrote to memory of 336 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 76 PID 2132 wrote to memory of 1108 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 77 PID 2132 wrote to memory of 1556 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 82 PID 2132 wrote to memory of 1716 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 83 PID 2132 wrote to memory of 776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 8 PID 2132 wrote to memory of 784 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 9 PID 2132 wrote to memory of 380 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 13 PID 2132 wrote to memory of 2644 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 44 PID 2132 wrote to memory of 2656 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 45 PID 2132 wrote to memory of 2788 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 48 PID 2132 wrote to memory of 3484 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 55 PID 2132 wrote to memory of 3664 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 57 PID 2132 wrote to memory of 3856 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 58 PID 2132 wrote to memory of 1044 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 59 PID 2132 wrote to memory of 2776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 60 PID 2132 wrote to memory of 2356 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 61 PID 2132 wrote to memory of 3720 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 62 PID 2132 wrote to memory of 5108 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 64 PID 2132 wrote to memory of 336 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 76 PID 2132 wrote to memory of 1108 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 77 PID 2132 wrote to memory of 1556 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 82 PID 2132 wrote to memory of 1716 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 83 PID 2132 wrote to memory of 4844 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 86 PID 2132 wrote to memory of 776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 8 PID 2132 wrote to memory of 784 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 9 PID 2132 wrote to memory of 380 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 13 PID 2132 wrote to memory of 2644 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 44 PID 2132 wrote to memory of 2656 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 45 PID 2132 wrote to memory of 2788 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 48 PID 2132 wrote to memory of 3484 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 55 PID 2132 wrote to memory of 3664 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 57 PID 2132 wrote to memory of 3856 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 58 PID 2132 wrote to memory of 1044 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 59 PID 2132 wrote to memory of 2776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 60 PID 2132 wrote to memory of 2356 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 61 PID 2132 wrote to memory of 3720 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 62 PID 2132 wrote to memory of 5108 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 64 PID 2132 wrote to memory of 336 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 76 PID 2132 wrote to memory of 1108 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 77 PID 2132 wrote to memory of 1556 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 82 PID 2132 wrote to memory of 4844 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 86 PID 2132 wrote to memory of 776 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 8 PID 2132 wrote to memory of 784 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 9 PID 2132 wrote to memory of 380 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 13 PID 2132 wrote to memory of 2644 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 44 PID 2132 wrote to memory of 2656 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 45 PID 2132 wrote to memory of 2788 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 48 PID 2132 wrote to memory of 3484 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 55 PID 2132 wrote to memory of 3664 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 57 PID 2132 wrote to memory of 3856 2132 JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe 58 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2656
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2788
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5173b99c37650e6180243bff6983d7af.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3664
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2776
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2356
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3720
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1108
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1556
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1716
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4844
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD55b1d45006c54c7808cd3d9ad7a44e922
SHA1acbec332959e311de66195405ef2f5990af1c1b4
SHA2563b0227480a3ea3414c1dacbc5730713a974ea1353801b3c2a07cf2303f661bd5
SHA51227a3e3f4454fa71f098e16f4214aa7ebf15cf8dffbcf608c54b3b9a7f6927ea9d935926ddd6d4d8efedfb433f379bba2c82828cf019b68969ecaa8b6b36df80c