sality | d6585dcf190836833364f87f6a154e32def70e5cbe26f6910166851c35987a34

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b47a070106c88c4b0c2e0901d989e3c_JaffaCakes118.dll
Size

120KB
MD5

1b47a070106c88c4b0c2e0901d989e3c
SHA1

3bb007059cca038e9266e5e08ff1711e981feccd
SHA256

d6585dcf190836833364f87f6a154e32def70e5cbe26f6910166851c35987a34
SHA512

6189ab8671e7545696bbed09d1e8611e4e1af9154e6feddc36c4963b29095b2b0417aecb7b096c46f60f37cba5a5bfeb7bf5690db5ad0ecf080c0e9a8cd83fdd
SSDEEP

3072:dFGPNfa6dSDHuFg3x9j2vNx4yhlo3clk21SwKzRMR:d+9+60yBZ1Sw

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e574aa5.exee578136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e574aa5.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574aa5.exee578136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e578136.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574aa5.exee578136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e578136.exe

Executes dropped EXE 3 IoCs

Processes:

e574aa5.exee574c8a.exee578136.exe

pid process

4376 e574aa5.exe
3088 e574c8a.exe
4524 e578136.exe

pid	process
4376	e574aa5.exe
3088	e574c8a.exe
4524	e578136.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4376-6-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-10-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-17-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-20-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-9-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-8-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-27-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-26-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-19-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-18-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-37-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-38-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-39-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-40-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-41-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-43-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-48-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-50-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-59-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-60-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-63-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-64-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-67-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4376-80-0x0000000000750000-0x000000000180A000-memory.dmp	upx
behavioral2/memory/4524-92-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/4524-103-0x0000000000880000-0x000000000193A000-memory.dmp	upx
behavioral2/memory/4524-147-0x0000000000880000-0x000000000193A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e574aa5.exee578136.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e578136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e578136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e578136.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e574aa5.exee578136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e578136.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e574aa5.exee578136.exe

description	ioc	process
File opened (read-only)	\??\G:	e574aa5.exe
File opened (read-only)	\??\L:	e574aa5.exe
File opened (read-only)	\??\E:	e578136.exe
File opened (read-only)	\??\J:	e578136.exe
File opened (read-only)	\??\E:	e574aa5.exe
File opened (read-only)	\??\M:	e574aa5.exe
File opened (read-only)	\??\I:	e574aa5.exe
File opened (read-only)	\??\J:	e574aa5.exe
File opened (read-only)	\??\K:	e574aa5.exe
File opened (read-only)	\??\G:	e578136.exe
File opened (read-only)	\??\I:	e578136.exe
File opened (read-only)	\??\H:	e574aa5.exe
File opened (read-only)	\??\H:	e578136.exe

Drops file in Windows directory 3 IoCs

Processes:

e574aa5.exee578136.exe

description ioc process

File created C:\Windows\e574af3 e574aa5.exe
File opened for modification C:\Windows\SYSTEM.INI e574aa5.exe
File created C:\Windows\e57a8b3 e578136.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e574aa5.exee578136.exe

pid process

4376 e574aa5.exe
4376 e574aa5.exe
4376 e574aa5.exe
4376 e574aa5.exe
4524 e578136.exe
4524 e578136.exe

description	ioc	process
File created	C:\Windows\e574af3	e574aa5.exe
File opened for modification	C:\Windows\SYSTEM.INI	e574aa5.exe
File created	C:\Windows\e57a8b3	e578136.exe

pid	process
4376	e574aa5.exe
4376	e574aa5.exe
4376	e574aa5.exe
4376	e574aa5.exe
4524	e578136.exe
4524	e578136.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e574aa5.exe

description	pid	process
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe
Token: SeDebugPrivilege	4376	e574aa5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee574aa5.exee578136.exe

description	pid	process	target process
PID 4740 wrote to memory of 3076	4740	rundll32.exe	rundll32.exe
PID 4740 wrote to memory of 3076	4740	rundll32.exe	rundll32.exe
PID 4740 wrote to memory of 3076	4740	rundll32.exe	rundll32.exe
PID 3076 wrote to memory of 4376	3076	rundll32.exe	e574aa5.exe
PID 3076 wrote to memory of 4376	3076	rundll32.exe	e574aa5.exe
PID 3076 wrote to memory of 4376	3076	rundll32.exe	e574aa5.exe
PID 4376 wrote to memory of 804	4376	e574aa5.exe	fontdrvhost.exe
PID 4376 wrote to memory of 808	4376	e574aa5.exe	fontdrvhost.exe
PID 4376 wrote to memory of 376	4376	e574aa5.exe	dwm.exe
PID 4376 wrote to memory of 2992	4376	e574aa5.exe	sihost.exe
PID 4376 wrote to memory of 3000	4376	e574aa5.exe	svchost.exe
PID 4376 wrote to memory of 2252	4376	e574aa5.exe	taskhostw.exe
PID 4376 wrote to memory of 3424	4376	e574aa5.exe	Explorer.EXE
PID 4376 wrote to memory of 3552	4376	e574aa5.exe	svchost.exe
PID 4376 wrote to memory of 3736	4376	e574aa5.exe	DllHost.exe
PID 4376 wrote to memory of 3824	4376	e574aa5.exe	StartMenuExperienceHost.exe
PID 4376 wrote to memory of 3924	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 4016	4376	e574aa5.exe	SearchApp.exe
PID 4376 wrote to memory of 3664	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 4520	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 1096	4376	e574aa5.exe	TextInputHost.exe
PID 4376 wrote to memory of 2064	4376	e574aa5.exe	backgroundTaskHost.exe
PID 4376 wrote to memory of 3812	4376	e574aa5.exe	backgroundTaskHost.exe
PID 4376 wrote to memory of 4740	4376	e574aa5.exe	rundll32.exe
PID 4376 wrote to memory of 3076	4376	e574aa5.exe	rundll32.exe
PID 4376 wrote to memory of 3076	4376	e574aa5.exe	rundll32.exe
PID 3076 wrote to memory of 3088	3076	rundll32.exe	e574c8a.exe
PID 3076 wrote to memory of 3088	3076	rundll32.exe	e574c8a.exe
PID 3076 wrote to memory of 3088	3076	rundll32.exe	e574c8a.exe
PID 4376 wrote to memory of 804	4376	e574aa5.exe	fontdrvhost.exe
PID 4376 wrote to memory of 808	4376	e574aa5.exe	fontdrvhost.exe
PID 4376 wrote to memory of 376	4376	e574aa5.exe	dwm.exe
PID 4376 wrote to memory of 2992	4376	e574aa5.exe	sihost.exe
PID 4376 wrote to memory of 3000	4376	e574aa5.exe	svchost.exe
PID 4376 wrote to memory of 2252	4376	e574aa5.exe	taskhostw.exe
PID 4376 wrote to memory of 3424	4376	e574aa5.exe	Explorer.EXE
PID 4376 wrote to memory of 3552	4376	e574aa5.exe	svchost.exe
PID 4376 wrote to memory of 3736	4376	e574aa5.exe	DllHost.exe
PID 4376 wrote to memory of 3824	4376	e574aa5.exe	StartMenuExperienceHost.exe
PID 4376 wrote to memory of 3924	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 4016	4376	e574aa5.exe	SearchApp.exe
PID 4376 wrote to memory of 3664	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 4520	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 1096	4376	e574aa5.exe	TextInputHost.exe
PID 4376 wrote to memory of 2064	4376	e574aa5.exe	backgroundTaskHost.exe
PID 4376 wrote to memory of 3812	4376	e574aa5.exe	backgroundTaskHost.exe
PID 4376 wrote to memory of 4740	4376	e574aa5.exe	rundll32.exe
PID 4376 wrote to memory of 3088	4376	e574aa5.exe	e574c8a.exe
PID 4376 wrote to memory of 3088	4376	e574aa5.exe	e574c8a.exe
PID 4376 wrote to memory of 1672	4376	e574aa5.exe	RuntimeBroker.exe
PID 4376 wrote to memory of 1988	4376	e574aa5.exe	RuntimeBroker.exe
PID 3076 wrote to memory of 4524	3076	rundll32.exe	e578136.exe
PID 3076 wrote to memory of 4524	3076	rundll32.exe	e578136.exe
PID 3076 wrote to memory of 4524	3076	rundll32.exe	e578136.exe
PID 4524 wrote to memory of 804	4524	e578136.exe	fontdrvhost.exe
PID 4524 wrote to memory of 808	4524	e578136.exe	fontdrvhost.exe
PID 4524 wrote to memory of 376	4524	e578136.exe	dwm.exe
PID 4524 wrote to memory of 2992	4524	e578136.exe	sihost.exe
PID 4524 wrote to memory of 3000	4524	e578136.exe	svchost.exe
PID 4524 wrote to memory of 2252	4524	e578136.exe	taskhostw.exe
PID 4524 wrote to memory of 3424	4524	e578136.exe	Explorer.EXE
PID 4524 wrote to memory of 3552	4524	e578136.exe	svchost.exe
PID 4524 wrote to memory of 3736	4524	e578136.exe	DllHost.exe
PID 4524 wrote to memory of 3824	4524	e578136.exe	StartMenuExperienceHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e574aa5.exee578136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e574aa5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e578136.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3000

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2252

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b47a070106c88c4b0c2e0901d989e3c_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b47a070106c88c4b0c2e0901d989e3c_JaffaCakes118.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\e574aa5.exe
C:\Users\Admin\AppData\Local\Temp\e574aa5.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4376

C:\Users\Admin\AppData\Local\Temp\e574c8a.exe
C:\Users\Admin\AppData\Local\Temp\e574c8a.exe
4⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\e578136.exe
C:\Users\Admin\AppData\Local\Temp\e578136.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4520

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1096

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2064

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574aa5.exe
Filesize
97KB

MD5
043dc85ef6acb3e9435ab5cb10d1c9bf

SHA1
28f23f9b8bac07b4a2fed31bf19d7a8700ad6c08

SHA256
3cff318bb1e3839bc5c14fe3772f6982048c5d492480a844db10aba0d1d16d6a

SHA512
76f20ed2551eccf61e8e96a6f0437c3bde9cbb79cc23e204327b0f56ee10ca75e2960eb1bb141e358161212373f0a2c8e5a8127dec33a1b90efd086b97d921f3

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
fb572eeaf80953cd3bcc0ceba2ffaeff

SHA1
ff22614af9fa5dd2daeea4b7d9be68ef1bc177e5

SHA256
1a1a89f9b0dc5ddcb9ec78c2dafc921172d0e547c6694cd3e98391df5083b4d4

SHA512
8c62dd1d4ee0134f6533159b05972d882d0572de4591597939c93d391ac3f98076b204b09027e9d286f4aa096d52900a7f23943f85de77ed2e7c776c8aeab83b

Download Submit
memory/3076-28-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/3076-35-0x0000000004160000-0x0000000004162000-memory.dmp

Filesize
8KB

Download
memory/3076-31-0x0000000004160000-0x0000000004162000-memory.dmp

Filesize
8KB

Download
memory/3076-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3076-21-0x0000000004160000-0x0000000004162000-memory.dmp

Filesize
8KB

Download
memory/3088-91-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3088-45-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3088-47-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3088-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3088-88-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3088-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4376-40-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-10-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-8-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-34-0x0000000001970000-0x0000000001972000-memory.dmp

Filesize
8KB

Download
memory/4376-26-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-19-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-18-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-9-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-37-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-38-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-39-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-20-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-41-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-17-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-29-0x0000000001970000-0x0000000001972000-memory.dmp

Filesize
8KB

Download
memory/4376-43-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-24-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/4376-48-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-50-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4376-59-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-60-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-63-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-64-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-67-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-80-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-75-0x0000000001970000-0x0000000001972000-memory.dmp

Filesize
8KB

Download
memory/4376-87-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4376-27-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4376-6-0x0000000000750000-0x000000000180A000-memory.dmp

Filesize
16.7MB

Download
memory/4524-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-92-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/4524-103-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download
memory/4524-113-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/4524-112-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/4524-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-147-0x0000000000880000-0x000000000193A000-memory.dmp

Filesize
16.7MB

Download