Analysis
-
max time kernel
25s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2025, 01:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
-
Size
287KB
-
MD5
80b5d6b1db9b2a3a754dcfc082ec1c6d
-
SHA1
949e7ed5d58dac9d8a1ffdc61da351a1b2333e28
-
SHA256
704d8f03265ae5970cfc2dc5ad341d3b3ed67e757bbe56ea72c7666496528d12
-
SHA512
7504d24719a42159d5af48a18f40b2b1538533e3cc48d5dea07c9c5812b6a9411ed6f165d494f8c98438fcaa13d95e55843b781e5557049db3fb381ce3955121
-
SSDEEP
6144:KvEA2U+T6i5LirrllHy4HUcMQY6qjbh+bR2j1P:0EAN+T5xYrllrU7QY6qKR29
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Bazaloader family
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests - JaffaCakes118.
resource yara_rule behavioral2/memory/4612-146-0x0000000000400000-0x0000000000441000-memory.dmp BazaLoader -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 5568 explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 5568 explorer.exe 3616 spoolsv.exe 4612 svchost.exe 4624 spoolsv.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
resource yara_rule behavioral2/memory/3552-1-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-7-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-4-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-8-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-9-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-3-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-10-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-22-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-23-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-24-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-42-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-43-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-49-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/3552-63-0x0000000002C80000-0x0000000003D0E000-memory.dmp upx behavioral2/memory/5568-79-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-77-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-76-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-73-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-78-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-75-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-86-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-88-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-87-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-89-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-90-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-91-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-92-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-93-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-94-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-96-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-98-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-99-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-101-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-103-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-105-0x0000000003510000-0x000000000459E000-memory.dmp upx behavioral2/memory/5568-108-0x0000000003510000-0x000000000459E000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 5568 explorer.exe 5568 explorer.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 5568 explorer.exe 4612 svchost.exe 4612 svchost.exe 4612 svchost.exe 5568 explorer.exe 5568 explorer.exe 4612 svchost.exe 4612 svchost.exe 5568 explorer.exe 5568 explorer.exe 4612 svchost.exe 4612 svchost.exe 5568 explorer.exe 5568 explorer.exe 5568 explorer.exe 5568 explorer.exe 4612 svchost.exe 4612 svchost.exe 5568 explorer.exe 5568 explorer.exe 4612 svchost.exe 4612 svchost.exe 5568 explorer.exe 5568 explorer.exe 4612 svchost.exe 4612 svchost.exe 5568 explorer.exe 5568 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5568 explorer.exe 4612 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe Token: SeDebugPrivilege 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 5568 explorer.exe 5568 explorer.exe 3616 spoolsv.exe 3616 spoolsv.exe 4612 svchost.exe 4612 svchost.exe 4624 spoolsv.exe 4624 spoolsv.exe 5568 explorer.exe 5568 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3552 wrote to memory of 768 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 8 PID 3552 wrote to memory of 776 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 9 PID 3552 wrote to memory of 316 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 13 PID 3552 wrote to memory of 2680 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 44 PID 3552 wrote to memory of 2708 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 45 PID 3552 wrote to memory of 2864 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 50 PID 3552 wrote to memory of 3396 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 56 PID 3552 wrote to memory of 3584 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 57 PID 3552 wrote to memory of 3780 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 58 PID 3552 wrote to memory of 3868 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 59 PID 3552 wrote to memory of 3928 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 60 PID 3552 wrote to memory of 4016 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 61 PID 3552 wrote to memory of 4212 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 62 PID 3552 wrote to memory of 5764 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 65 PID 3552 wrote to memory of 3560 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 72 PID 3552 wrote to memory of 2492 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 79 PID 3552 wrote to memory of 524 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 83 PID 3552 wrote to memory of 2196 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 84 PID 3552 wrote to memory of 1996 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 85 PID 3552 wrote to memory of 5568 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 87 PID 3552 wrote to memory of 5568 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 87 PID 3552 wrote to memory of 5568 3552 JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe 87 PID 5568 wrote to memory of 3616 5568 explorer.exe 88 PID 5568 wrote to memory of 3616 5568 explorer.exe 88 PID 5568 wrote to memory of 3616 5568 explorer.exe 88 PID 3616 wrote to memory of 4612 3616 spoolsv.exe 90 PID 3616 wrote to memory of 4612 3616 spoolsv.exe 90 PID 3616 wrote to memory of 4612 3616 spoolsv.exe 90 PID 4612 wrote to memory of 4624 4612 svchost.exe 91 PID 4612 wrote to memory of 4624 4612 svchost.exe 91 PID 4612 wrote to memory of 4624 4612 svchost.exe 91 PID 4612 wrote to memory of 4704 4612 svchost.exe 92 PID 4612 wrote to memory of 4704 4612 svchost.exe 92 PID 4612 wrote to memory of 4704 4612 svchost.exe 92 PID 5568 wrote to memory of 768 5568 explorer.exe 8 PID 5568 wrote to memory of 776 5568 explorer.exe 9 PID 5568 wrote to memory of 316 5568 explorer.exe 13 PID 5568 wrote to memory of 2680 5568 explorer.exe 44 PID 5568 wrote to memory of 2708 5568 explorer.exe 45 PID 5568 wrote to memory of 2864 5568 explorer.exe 50 PID 5568 wrote to memory of 3396 5568 explorer.exe 56 PID 5568 wrote to memory of 3584 5568 explorer.exe 57 PID 5568 wrote to memory of 3780 5568 explorer.exe 58 PID 5568 wrote to memory of 3868 5568 explorer.exe 59 PID 5568 wrote to memory of 3928 5568 explorer.exe 60 PID 5568 wrote to memory of 4016 5568 explorer.exe 61 PID 5568 wrote to memory of 4212 5568 explorer.exe 62 PID 5568 wrote to memory of 5764 5568 explorer.exe 65 PID 5568 wrote to memory of 3560 5568 explorer.exe 72 PID 5568 wrote to memory of 2492 5568 explorer.exe 79 PID 5568 wrote to memory of 2196 5568 explorer.exe 84 PID 5568 wrote to memory of 4224 5568 explorer.exe 89 PID 5568 wrote to memory of 4612 5568 explorer.exe 90 PID 5568 wrote to memory of 4612 5568 explorer.exe 90 PID 5568 wrote to memory of 768 5568 explorer.exe 8 PID 5568 wrote to memory of 776 5568 explorer.exe 9 PID 5568 wrote to memory of 316 5568 explorer.exe 13 PID 5568 wrote to memory of 2680 5568 explorer.exe 44 PID 5568 wrote to memory of 2708 5568 explorer.exe 45 PID 5568 wrote to memory of 2864 5568 explorer.exe 50 PID 5568 wrote to memory of 3396 5568 explorer.exe 56 PID 5568 wrote to memory of 3584 5568 explorer.exe 57 PID 5568 wrote to memory of 3780 5568 explorer.exe 58 PID 5568 wrote to memory of 3868 5568 explorer.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2708
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2864
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80b5d6b1db9b2a3a754dcfc082ec1c6d.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3552 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4624
-
-
C:\Windows\SysWOW64\at.exeat 01:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4704
-
-
C:\Windows\SysWOW64\at.exeat 01:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2892
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵PID:792
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵PID:5688
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵PID:3076
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4212
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3560
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2492
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:524
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2196
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:1996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4224
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:5188
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:4640
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:4684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD5327099fa45cf8431a9e7b9238d852e2c
SHA11fbafa765406c4ab30ecc4623593be0a754d3cc4
SHA256cb3a88755df82688ce680af972ace950a8f16cc9008712c654ac11b6c6bb9139
SHA512e0eb458367d10fc762fa9096d452f15a8d9a692ff011dc3fd9a18848f2dc01f07751cd09b9225e1b1499548d3f9bcd0e058d77128fbf32e33f70245c91acd0ad
-
Filesize
257B
MD58a3eaaf106314414d1d3454125db50af
SHA107d73c4b547ab3a30b592ed5667f5e4aeba01429
SHA2569744bcba92eab1a36b808bba26e9039eeb7f423ffe5303757aac1f6b62a5f86d
SHA512e5f7f3ff27bfa5b717ee59279f884d0bed9115f16cc5b50a7c4b53ba32feb76159cbf69fe8b9899acd4efc05c011f3e05c04e4dcf2c8885b52bcc00dc6dba5bd
-
Filesize
287KB
MD507dab3fb48ff674277935a71a482d090
SHA177c7e753f9166b0af4ab5a544f7d66029a4db3c2
SHA256d203c15373cc7e275e8d297fe90209998302253c64f1a1023bc5f8115bb607bb
SHA512e0c7d98026f9bd721603fef11be3c9c166b8d59369f2360da46b7e982b9d6ba11c319120ed8288cb13869494fb64091abbf08a5ef7cb9533793acbbcdbb9b244
-
Filesize
287KB
MD52c10fddd889871f8ac9882a38bdf738a
SHA132d91895582f901fea2587014721671bf043b647
SHA25627384a87e3a8e73528c77529592c096b6794841f62c6230ec4440403510011d6
SHA512ddd15279e3aafb0e489db93f479300d7ae96e24962a64b94c75eb9d0509de5e97e35f9b54fbed7fb4d25921f4539c0548c54e5f3188917aa92e69f2025238420
-
Filesize
287KB
MD5dbe79ad74fbf0446da239b9bda56c9e8
SHA10ec80f7f8ad47a77d8e48391a55490a465b49677
SHA2568ba0da1885b354ee891aa24d57d983f6f615cc87f6197b8c6cab3a5ad8c76d7c
SHA5124021d7ec74dba9a4362b1b052793358bb5455ba0075fc96907efa1c42e89e52ed044f626ba37afeb3f5fa33a318edf4d90a2dd96e6bee16151695635806a47be