Analysis
-
max time kernel
25s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/03/2025, 01:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
-
Size
287KB
-
MD5
80b5d6b1db9b2a3a754dcfc082ec1c6d
-
SHA1
949e7ed5d58dac9d8a1ffdc61da351a1b2333e28
-
SHA256
704d8f03265ae5970cfc2dc5ad341d3b3ed67e757bbe56ea72c7666496528d12
-
SHA512
7504d24719a42159d5af48a18f40b2b1538533e3cc48d5dea07c9c5812b6a9411ed6f165d494f8c98438fcaa13d95e55843b781e5557049db3fb381ce3955121
-
SSDEEP
6144:KvEA2U+T6i5LirrllHy4HUcMQY6qjbh+bR2j1P:0EAN+T5xYrllrU7QY6qKR29
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Bazaloader family
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.
resource yara_rule behavioral1/memory/2676-261-0x0000000000400000-0x0000000000441000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2604 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2604 explorer.exe 528 spoolsv.exe 2676 svchost.exe 2064 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 2604 explorer.exe 2604 explorer.exe 528 spoolsv.exe 528 spoolsv.exe 2676 svchost.exe 2676 svchost.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
resource yara_rule behavioral1/memory/2816-1-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-7-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-5-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-6-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-3-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-20-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-21-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-4-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-22-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-40-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-41-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-56-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-84-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2816-105-0x0000000002740000-0x00000000037CE000-memory.dmp upx behavioral1/memory/2604-111-0x0000000003480000-0x000000000450E000-memory.dmp upx behavioral1/memory/2604-107-0x0000000003480000-0x000000000450E000-memory.dmp upx behavioral1/memory/2604-112-0x0000000003480000-0x000000000450E000-memory.dmp upx behavioral1/memory/2604-110-0x0000000003480000-0x000000000450E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2676 svchost.exe 2604 explorer.exe 2604 explorer.exe 2676 svchost.exe 2676 svchost.exe 2604 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2604 explorer.exe 2676 svchost.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe Token: SeDebugPrivilege 2604 explorer.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 2604 explorer.exe 2604 explorer.exe 528 spoolsv.exe 528 spoolsv.exe 2676 svchost.exe 2676 svchost.exe 2064 spoolsv.exe 2064 spoolsv.exe 2604 explorer.exe 2604 explorer.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2816 wrote to memory of 1076 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 18 PID 2816 wrote to memory of 1144 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 19 PID 2816 wrote to memory of 1204 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 21 PID 2816 wrote to memory of 644 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 23 PID 2816 wrote to memory of 2604 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 30 PID 2816 wrote to memory of 2604 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 30 PID 2816 wrote to memory of 2604 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 30 PID 2816 wrote to memory of 2604 2816 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 30 PID 2604 wrote to memory of 528 2604 explorer.exe 31 PID 2604 wrote to memory of 528 2604 explorer.exe 31 PID 2604 wrote to memory of 528 2604 explorer.exe 31 PID 2604 wrote to memory of 528 2604 explorer.exe 31 PID 528 wrote to memory of 2676 528 spoolsv.exe 32 PID 528 wrote to memory of 2676 528 spoolsv.exe 32 PID 528 wrote to memory of 2676 528 spoolsv.exe 32 PID 528 wrote to memory of 2676 528 spoolsv.exe 32 PID 2676 wrote to memory of 2064 2676 svchost.exe 33 PID 2676 wrote to memory of 2064 2676 svchost.exe 33 PID 2676 wrote to memory of 2064 2676 svchost.exe 33 PID 2676 wrote to memory of 2064 2676 svchost.exe 33 PID 2676 wrote to memory of 2880 2676 svchost.exe 34 PID 2676 wrote to memory of 2880 2676 svchost.exe 34 PID 2676 wrote to memory of 2880 2676 svchost.exe 34 PID 2676 wrote to memory of 2880 2676 svchost.exe 34 PID 2604 wrote to memory of 1076 2604 explorer.exe 18 PID 2604 wrote to memory of 1144 2604 explorer.exe 19 PID 2604 wrote to memory of 1204 2604 explorer.exe 21 PID 2604 wrote to memory of 644 2604 explorer.exe 23 PID 2604 wrote to memory of 2676 2604 explorer.exe 32 PID 2604 wrote to memory of 2676 2604 explorer.exe 32 PID 2604 wrote to memory of 1076 2604 explorer.exe 18 PID 2604 wrote to memory of 1144 2604 explorer.exe 19 PID 2604 wrote to memory of 1204 2604 explorer.exe 21 PID 2604 wrote to memory of 644 2604 explorer.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1076
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Windows\SysWOW64\at.exeat 01:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\at.exeat 01:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2632
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:644
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD53bf9ddc73fc109bf7bc486ffb9a53138
SHA197fd3709084a14972548acbdae74409828fddb90
SHA256c19d4cc5a27819ff0007ae201824c6bf6e01ac7defc975c5266d05869f1eb3a0
SHA512ff6bc6286876fa3f065bcab03eafa45b544812df3efa1d346ac6a930d7dd980f5dae18bf2e8a84e68b7224fc3670eaf925cc01adceb00b11d9916ba64e324037
-
Filesize
257B
MD5cd51d32390a5ecbbab5d1287955487a4
SHA12f2af0f4c230aa92eb9e0f06c082c944a091f8df
SHA25697fa1d6985107060d05cbc70c5460259e015e3f644774e805d20cc4cb1f00e45
SHA512f8d34338387f6ce75bf9f47e53c3048e1bc2da61ce23e5f0aa26f4e70c6bea72ca16ec3dce32d09c8904deed652a7407ab00e54e5440d44e80aec2104d0f8960
-
Filesize
287KB
MD5f4533f8d1fdfe3090e081e499be51451
SHA131c06368d8a58e0f05e820b839238635ddd6c5b9
SHA256c0fed3abec31170eda6cb33f7b9aa7425626bd5ea152d188caf2a65176b130cf
SHA5127aa96b26640ef62036bbb59971dd58f3d577ba2010a2220c67290253930e550795d4cc43d72f2fb5cee42f9272c83ae356aba0b39ad448754eae08b67a9c3d08
-
Filesize
287KB
MD5deb754106d51128d17d30e9ec5696151
SHA1b5a7f76b84be80fc501e828cb9d2bb625ef1ac2d
SHA2564fe6d852199ed4e3c57187567eaa88b74064a697ebe540568dcbfb6bf0ea4b23
SHA512a1d70061c3269ecb1922b50f0271408aec95a02e98bf55475c6cf653ffb2897ea7967431941e6bbbf2aefe49d0cf54b3897561347e4b16fc04f429663c0d20ac
-
Filesize
287KB
MD5f302472f01cd43d8ba3412faf60456f2
SHA1a581db23ac402af5dedebc3fb25ff911aeafae8a
SHA2566588ea3433a587c8b66ea4d974af9530222a6fe883ea82c8883868bc748c2650
SHA512650977aa54ed1bcbec7678e192d5f12bbec5e6bd501b96175dad16e3a77f23145ba4a4162a7815882e4fd9f5dc050bfd22f0e5ef443bfa65e07beb8162684bbc