Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2025, 19:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe
Resource
win7-20240903-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe
-
Size
212KB
-
MD5
53446bee6d94a205129c8e55574d9fe4
-
SHA1
8793e22d95fb8f9418bad91413c797f602499247
-
SHA256
59c9544c206f6e202f2fbb10d5d9da403554eb8ca6db2db138e7b8c2a69fe185
-
SHA512
36f98f2ec9d6d95f29f296d7403360307b2e08953764b07b72dd471a3219eaa1a332d184944ea3dff30b3cb5b08f811a66f69548fddc91730450b4e8c1a1f122
-
SSDEEP
3072:ucUcm0X3qDOUwUNvo8Hj/64qDuibRRP1SWYh037Fu776yThTthw:ucUK3qDpvTT6LDuibjfa0rFa7PtTI
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" sesdessecetra.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sesdessecetra.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sesdessecetra.exe -
Executes dropped EXE 2 IoCs
pid Process 5640 sesdessecetra.exe 4660 sesdessecetra.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sesdessecetra.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc sesdessecetra.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v8.2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sesdessecetra.exe" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v8.2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sesdessecetra.exe" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sesdessecetra.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4540 set thread context of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 5640 set thread context of 4660 5640 sesdessecetra.exe 92 -
resource yara_rule behavioral2/memory/4540-1-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-3-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-4-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-9-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-8-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-11-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-13-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-5-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-16-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-17-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-18-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/4540-24-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral2/memory/5640-50-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-48-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-51-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-49-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-52-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-46-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-47-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-42-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-44-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-62-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-63-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx behavioral2/memory/5640-74-0x0000000002A30000-0x0000000003ABE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sesdessecetra.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sesdessecetra.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 5640 sesdessecetra.exe 5640 sesdessecetra.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Token: SeDebugPrivilege 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 5640 sesdessecetra.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 4540 wrote to memory of 780 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 8 PID 4540 wrote to memory of 784 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 9 PID 4540 wrote to memory of 60 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 13 PID 4540 wrote to memory of 3024 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 50 PID 4540 wrote to memory of 3032 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 51 PID 4540 wrote to memory of 684 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 52 PID 4540 wrote to memory of 3408 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 56 PID 4540 wrote to memory of 3548 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 57 PID 4540 wrote to memory of 3752 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 58 PID 4540 wrote to memory of 3844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 59 PID 4540 wrote to memory of 3912 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 60 PID 4540 wrote to memory of 4000 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 61 PID 4540 wrote to memory of 3856 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 62 PID 4540 wrote to memory of 5016 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 76 PID 4540 wrote to memory of 3488 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 77 PID 4540 wrote to memory of 708 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 80 PID 4540 wrote to memory of 5060 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 81 PID 4540 wrote to memory of 5848 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 86 PID 4540 wrote to memory of 3444 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 87 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 4540 wrote to memory of 1844 4540 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 89 PID 1844 wrote to memory of 5640 1844 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 90 PID 1844 wrote to memory of 5640 1844 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 90 PID 1844 wrote to memory of 5640 1844 JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe 90 PID 5640 wrote to memory of 780 5640 sesdessecetra.exe 8 PID 5640 wrote to memory of 784 5640 sesdessecetra.exe 9 PID 5640 wrote to memory of 60 5640 sesdessecetra.exe 13 PID 5640 wrote to memory of 3024 5640 sesdessecetra.exe 50 PID 5640 wrote to memory of 3032 5640 sesdessecetra.exe 51 PID 5640 wrote to memory of 684 5640 sesdessecetra.exe 52 PID 5640 wrote to memory of 3408 5640 sesdessecetra.exe 56 PID 5640 wrote to memory of 3548 5640 sesdessecetra.exe 57 PID 5640 wrote to memory of 3752 5640 sesdessecetra.exe 58 PID 5640 wrote to memory of 3844 5640 sesdessecetra.exe 59 PID 5640 wrote to memory of 3912 5640 sesdessecetra.exe 60 PID 5640 wrote to memory of 4000 5640 sesdessecetra.exe 61 PID 5640 wrote to memory of 3856 5640 sesdessecetra.exe 62 PID 5640 wrote to memory of 5016 5640 sesdessecetra.exe 76 PID 5640 wrote to memory of 3488 5640 sesdessecetra.exe 77 PID 5640 wrote to memory of 708 5640 sesdessecetra.exe 80 PID 5640 wrote to memory of 5060 5640 sesdessecetra.exe 81 PID 5640 wrote to memory of 5848 5640 sesdessecetra.exe 86 PID 5640 wrote to memory of 3444 5640 sesdessecetra.exe 87 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 PID 5640 wrote to memory of 4660 5640 sesdessecetra.exe 92 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sesdessecetra.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:60
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3032
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_53446bee6d94a205129c8e55574d9fe4.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5640 -
C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"C:\Users\Admin\AppData\Local\Temp\sesdessecetra.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3856
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3488
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:708
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5060
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:5848
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3444
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD553446bee6d94a205129c8e55574d9fe4
SHA18793e22d95fb8f9418bad91413c797f602499247
SHA25659c9544c206f6e202f2fbb10d5d9da403554eb8ca6db2db138e7b8c2a69fe185
SHA51236f98f2ec9d6d95f29f296d7403360307b2e08953764b07b72dd471a3219eaa1a332d184944ea3dff30b3cb5b08f811a66f69548fddc91730450b4e8c1a1f122
-
Filesize
257B
MD5346aac80c24933b0029a92ebba71516f
SHA1357cca0111c5bdb692c3adfb2853d294d633efc8
SHA2561c1ade219abddbfc50161c0b3ca70ea8c406e2607f683814a85972f6c73db776
SHA51298ddc3d338f284d5bf68cbe08a7b77c049618d0489e7ce87a2c9f6628f18d26ca261396205c806294a1882be3c6d46d4d0245cada4f41b9c8d522f4cfa21e379