sality | 176bebd01ef9664ac2087c283261ce4475525986cb2a24ec0d32748a012fbc3d

Analysis

max time kernel
130s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Size

623KB
MD5

13f2769975c7c3a834ad2f98de5fd2ed
SHA1

e453b159c317d6ce1300e9005902d5a145d650c0
SHA256

176bebd01ef9664ac2087c283261ce4475525986cb2a24ec0d32748a012fbc3d
SHA512

c88956a8e1c815a40658fcf3a9fa8552423dc3dc9fcacd7e7196b76c5057f298a8a5b7b185c786f980cdbc29e39b95c42d527e63cf23d6c7d81f9aee17a309c8
SSDEEP

12288:Ezs1pt4r/mPjMef1RpdCCdwe2lKowW+wG3Q/U52ioR52NiJ:Ew1QrOjDwe2CyiT85q0

Score

10^/10

sality backdoor evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3280 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

3348 update.exe
Loads dropped DLL 3 IoCs

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exeupdate.exe

pid process

1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
3348 update.exe
3348 update.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

pid	process
3280	netsh.exe

pid	process
3348	update.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1168-1-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-11-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-9-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-69-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-70-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-84-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-88-0x0000000002440000-0x0000000003470000-memory.dmp	upx
behavioral2/memory/1168-98-0x0000000002440000-0x0000000003470000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exeupdate.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB901105.log	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

pid	process
1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Token: SeDebugPrivilege	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description	pid	process	target process
PID 1168 wrote to memory of 804	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	fontdrvhost.exe
PID 1168 wrote to memory of 812	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	fontdrvhost.exe
PID 1168 wrote to memory of 396	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	dwm.exe
PID 1168 wrote to memory of 3280	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	netsh.exe
PID 1168 wrote to memory of 3280	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	netsh.exe
PID 1168 wrote to memory of 3280	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	netsh.exe
PID 1168 wrote to memory of 2684	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	sihost.exe
PID 1168 wrote to memory of 2712	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	svchost.exe
PID 1168 wrote to memory of 2844	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	taskhostw.exe
PID 1168 wrote to memory of 3572	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	Explorer.EXE
PID 1168 wrote to memory of 3724	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	svchost.exe
PID 1168 wrote to memory of 3904	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	DllHost.exe
PID 1168 wrote to memory of 4004	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	StartMenuExperienceHost.exe
PID 1168 wrote to memory of 4068	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 676	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	SearchApp.exe
PID 1168 wrote to memory of 4232	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 1492	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	TextInputHost.exe
PID 1168 wrote to memory of 3788	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 4660	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	backgroundTaskHost.exe
PID 1168 wrote to memory of 1632	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	backgroundTaskHost.exe
PID 1168 wrote to memory of 3348	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	update.exe
PID 1168 wrote to memory of 3348	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	update.exe
PID 1168 wrote to memory of 3348	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	update.exe
PID 1168 wrote to memory of 804	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	fontdrvhost.exe
PID 1168 wrote to memory of 812	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	fontdrvhost.exe
PID 1168 wrote to memory of 396	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	dwm.exe
PID 1168 wrote to memory of 2684	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	sihost.exe
PID 1168 wrote to memory of 2712	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	svchost.exe
PID 1168 wrote to memory of 2844	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	taskhostw.exe
PID 1168 wrote to memory of 3572	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	Explorer.EXE
PID 1168 wrote to memory of 3724	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	svchost.exe
PID 1168 wrote to memory of 3904	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	DllHost.exe
PID 1168 wrote to memory of 4004	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	StartMenuExperienceHost.exe
PID 1168 wrote to memory of 4068	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 676	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	SearchApp.exe
PID 1168 wrote to memory of 4232	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 1492	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	TextInputHost.exe
PID 1168 wrote to memory of 3788	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 4660	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	backgroundTaskHost.exe
PID 1168 wrote to memory of 3348	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	update.exe
PID 1168 wrote to memory of 3348	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	update.exe
PID 1168 wrote to memory of 4132	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe
PID 1168 wrote to memory of 4676	1168	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe	RuntimeBroker.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2712

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe"
2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1168

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3280

\??\c:\221f68f1c283c53ef446fe\update\update.exe
c:\221f68f1c283c53ef446fe\update\update.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4660

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\221f68f1c283c53ef446fe\_sfx_.dll
Filesize
30KB

MD5
b9b02d97007953e74caaa38497e7278a

SHA1
3954391efec4615a597594b02ad755f539d2fa42

SHA256
e4ecf14cf98b855642505802a04be2035db6e13600112c01632e2e600c8184cc

SHA512
78f39f6c6167ba61f52501912b3c5fa6d8c0d594be9f9a5b888b2cb4e19c1d499328fe28a90cc1457e15b14f78ce5a3591b8ed1468afb8d5e944df07a7ae2c6e

Download Submit
C:\221f68f1c283c53ef446fe\update\update.exe
Filesize
706KB

MD5
159c70c4e6bbf38aab8ac6220f44497a

SHA1
0ae927bc2752340a66c3984236ceaddad1c4b263

SHA256
19cbcdba74e18aa42414082a8941d3634e763ad4e52e399fe818139aa2331ae0

SHA512
2aeb58325113c1b7a694b9f29a1ce7b9e4e79d165fff6e69405d4ffdbd1b2fc9a51c8d4850b1bfc17b13c8608a7f92b3c77314eb30a4b9ae14b39cf3f0df25fd

Download Submit
C:\221f68f1c283c53ef446fe\update\updspapi.dll
Filesize
378KB

MD5
0c74bebb2e57e61cf2372e8936aa1286

SHA1
adc79970c4e7a1d64c84a13e52c45e1f7317873d

SHA256
7890f3de15cf561a26f7e6d4009baada5a727df47ec63a7582477625e94087ed

SHA512
1d3f303b7dd953b205b18f4424284c59d43a4ca1f5556db76dccc6f26ef53099a7cc12fbcafe63135f5ff01b79ba3ce902516b2d9de1a5582b73fbf40e124e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E573865_Rar\13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Filesize
551KB

MD5
89d07e1d38c96bed465861fd6969ec60

SHA1
8bd74dab8ba88a560c28db353fcb01068751945a

SHA256
f47924fb61ed8c497a3b8cf7bdc2693df818886333d4bede8cf2d5a81c12cbd2

SHA512
390649fc16d9828f5eb7097f7e447f312911f698b58a65194ab6ebd604691f32a934984d54efca600c03d9320b557b5fdab0e04ea7e586e203479d4dbb98c534

Download Submit
memory/1168-14-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/1168-1-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-0-0x0000000001000000-0x0000000001030000-memory.dmp

Filesize
192KB

Download
memory/1168-9-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-21-0x0000000001000000-0x0000000001030000-memory.dmp

Filesize
192KB

Download
memory/1168-20-0x0000000001000000-0x0000000001030000-memory.dmp

Filesize
192KB

Download
memory/1168-16-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/1168-17-0x0000000003970000-0x0000000003972000-memory.dmp

Filesize
8KB

Download
memory/1168-11-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-69-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-70-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-15-0x0000000003970000-0x0000000003972000-memory.dmp

Filesize
8KB

Download
memory/1168-122-0x0000000001000000-0x0000000001030000-memory.dmp

Filesize
192KB

Download
memory/1168-84-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-88-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/1168-112-0x0000000003970000-0x0000000003972000-memory.dmp

Filesize
8KB

Download
memory/1168-98-0x0000000002440000-0x0000000003470000-memory.dmp

Filesize
16.2MB

Download
memory/3348-90-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3348-100-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/3348-91-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/3348-75-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download