Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 09:28
Static task
static1
Behavioral task
behavioral1
Sample
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe
-
Size
97KB
-
MD5
1ac4705202148acdeedadb0998f1c7f4
-
SHA1
e5b47a6efaabd9f1a37aa22653d18592b9807526
-
SHA256
7709e8046543fd26e7f26295be7617cfb5c53a2448d436d2077e4a656ade483f
-
SHA512
303321473e49f48d51b98b4b249585d8c901168c535a0c1ac0504413fe4c4e7ea933c2f412e06a9e0a6c23eccbcee85809f38bd35db63ee09ee5b0d1a7c1bb39
-
SSDEEP
1536:SNXY1olQlych+Y1Op2lYAEZi7QU8k1juErLd9EIR7P/VS4Itj:SNowA02lHai7HjuIdacIF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/400-2-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-1-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-5-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-4-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-7-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-17-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-19-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-20-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-15-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-21-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-23-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-22-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-24-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-26-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-25-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-28-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-29-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-30-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-32-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-33-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-35-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-41-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-44-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-45-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-48-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-49-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-53-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-54-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-61-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-63-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-66-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-67-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-68-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-70-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-72-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-76-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-77-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/400-78-0x0000000000840000-0x00000000018FA000-memory.dmp upx -
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process File opened (read-only) \??\Z: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\J: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\K: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\P: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\X: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\U: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\Y: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\E: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\M: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\O: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\S: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\W: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\G: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\H: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\R: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\V: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\T: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\I: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\L: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\N: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened (read-only) \??\Q: 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process File opened for modification F:\autorun.inf 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\autorun.inf 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Drops file in Program Files directory 12 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Uninstall.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process File created C:\Windows\e575d72 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exepid process 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Token: SeDebugPrivilege 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription pid process target process PID 400 wrote to memory of 796 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 800 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 388 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe dwm.exe PID 400 wrote to memory of 2544 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe sihost.exe PID 400 wrote to memory of 2648 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 2872 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe taskhostw.exe PID 400 wrote to memory of 3484 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Explorer.EXE PID 400 wrote to memory of 3672 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 3860 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe DllHost.exe PID 400 wrote to memory of 4024 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe StartMenuExperienceHost.exe PID 400 wrote to memory of 4088 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 2976 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe SearchApp.exe PID 400 wrote to memory of 3772 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 4532 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 5080 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe TextInputHost.exe PID 400 wrote to memory of 844 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe backgroundTaskHost.exe PID 400 wrote to memory of 752 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe backgroundTaskHost.exe PID 400 wrote to memory of 796 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 800 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 388 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe dwm.exe PID 400 wrote to memory of 2544 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe sihost.exe PID 400 wrote to memory of 2648 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 2872 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe taskhostw.exe PID 400 wrote to memory of 3484 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Explorer.EXE PID 400 wrote to memory of 3672 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 3860 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe DllHost.exe PID 400 wrote to memory of 4024 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe StartMenuExperienceHost.exe PID 400 wrote to memory of 4088 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 2976 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe SearchApp.exe PID 400 wrote to memory of 3772 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 4532 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 5080 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe TextInputHost.exe PID 400 wrote to memory of 844 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe backgroundTaskHost.exe PID 400 wrote to memory of 752 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe backgroundTaskHost.exe PID 400 wrote to memory of 796 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 800 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 388 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe dwm.exe PID 400 wrote to memory of 2544 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe sihost.exe PID 400 wrote to memory of 2648 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 2872 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe taskhostw.exe PID 400 wrote to memory of 3484 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Explorer.EXE PID 400 wrote to memory of 3672 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 3860 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe DllHost.exe PID 400 wrote to memory of 4024 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe StartMenuExperienceHost.exe PID 400 wrote to memory of 4088 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 2976 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe SearchApp.exe PID 400 wrote to memory of 3772 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 4532 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 5080 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe TextInputHost.exe PID 400 wrote to memory of 844 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe backgroundTaskHost.exe PID 400 wrote to memory of 752 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe backgroundTaskHost.exe PID 400 wrote to memory of 1160 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 1460 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe PID 400 wrote to memory of 796 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 800 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe fontdrvhost.exe PID 400 wrote to memory of 388 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe dwm.exe PID 400 wrote to memory of 2544 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe sihost.exe PID 400 wrote to memory of 2648 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 2872 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe taskhostw.exe PID 400 wrote to memory of 3484 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe Explorer.EXE PID 400 wrote to memory of 3672 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe svchost.exe PID 400 wrote to memory of 3860 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe DllHost.exe PID 400 wrote to memory of 4024 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe StartMenuExperienceHost.exe PID 400 wrote to memory of 4088 400 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1ac4705202148acdeedadb0998f1c7f4_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\cdea.exeFilesize
97KB
MD5d9a0445c85f95c7965c54601de384992
SHA199db68eb7a4f40bd3d1fe2a8a0cd88a485a87bd1
SHA2566c38ee360e753da53a9d8bc529953e921aa5cb6bfb39d89be2f37f7f6186016c
SHA512f690efe717ecc7fac0c15c006fde9cf2ff9609286c80b23ac15a50d1fffc0dcf9208346be798786c773b31bffd1bb67c956682ca3c07732372586bcae52e2482
-
memory/400-32-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-72-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-5-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-9-0x0000000001BD0000-0x0000000001BD1000-memory.dmpFilesize
4KB
-
memory/400-6-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-18-0x0000000001BC0000-0x0000000001BC2000-memory.dmpFilesize
8KB
-
memory/400-16-0x0000000001BC0000-0x0000000001BC2000-memory.dmpFilesize
8KB
-
memory/400-4-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-8-0x0000000001BC0000-0x0000000001BC2000-memory.dmpFilesize
8KB
-
memory/400-7-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-17-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-19-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-20-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-15-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-21-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-23-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-22-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-24-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-26-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-25-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-28-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-29-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-79-0x0000000001BC0000-0x0000000001BC2000-memory.dmpFilesize
8KB
-
memory/400-1-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-39-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-35-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-36-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-33-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-41-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-44-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-45-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-48-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-49-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-53-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-54-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-61-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-63-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-66-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-67-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-68-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-70-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-0-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/400-76-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-77-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-78-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-30-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/400-2-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB