Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/04/2024, 18:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe
-
Size
360KB
-
MD5
e81b3501b8f5972812e93c4a40717467
-
SHA1
17fa72c70ee59efee002a11bfd2180d7d7ed56cb
-
SHA256
7b12b948342e060ed2e44b14a8b97d276aa74d68529039237a92e85bfaf11f20
-
SHA512
bc67dc281b44f2a75f596e5dc4969292f12406b6dfe24751d8d23aa93361ba6fc56ba04d88a3b7744e307cb7ff17ecfc7cf9aa3b0fba9c9c6c6a06d0456970b1
-
SSDEEP
6144:50CUmXw1GYKTTSHnTCg60t76tiMvJ0QvQ0AAwTw8VzJXu:bU7nESHTCgvtWio0Y
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000B41D1B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000B41D1B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2296 043A6AEB00014973000B41D1B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2296 043A6AEB00014973000B41D1B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000B41D1B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000B41D1B4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.exe\ = "043A6" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\DefaultIcon 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\open 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\start\command 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\runas\command 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.exe 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6AEB00014973000B41D1B4EB2331\\043A6AEB00014973000B41D1B4EB2331.exe\" -s \"%1\" %*" 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\start 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\runas 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\%s\ = "043A6" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6 043A6AEB00014973000B41D1B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\ = "Application" 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\043A6\shell\open\command 043A6AEB00014973000B41D1B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\%s 043A6AEB00014973000B41D1B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2296 043A6AEB00014973000B41D1B4EB2331.exe 2296 043A6AEB00014973000B41D1B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 828 wrote to memory of 2296 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe 28 PID 828 wrote to memory of 2296 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe 28 PID 828 wrote to memory of 2296 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe 28 PID 828 wrote to memory of 2296 828 e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000B41D1B4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828 -
C:\ProgramData\043A6AEB00014973000B41D1B4EB2331\043A6AEB00014973000B41D1B4EB2331.exe"C:\ProgramData\043A6AEB00014973000B41D1B4EB2331\043A6AEB00014973000B41D1B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\e81b3501b8f5972812e93c4a40717467_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD56afedc90e0289252e2c51f6d76595fdf
SHA116c8508817a7c6bdb8a6594913e4e94a874a98e9
SHA256332656eb7e4e15e590bd91c2be9b287d8f66f8ef45094fcfc05af716e794fb63
SHA5121732a405faa779a8fc75bb3d45b3ecd885c9feb1598a3acaf715b947c9fb98b29515e8484be2c72d1d01896aec749698e6764666ccb8e9de156be57322c5372f
-
Filesize
360KB
MD5e81b3501b8f5972812e93c4a40717467
SHA117fa72c70ee59efee002a11bfd2180d7d7ed56cb
SHA2567b12b948342e060ed2e44b14a8b97d276aa74d68529039237a92e85bfaf11f20
SHA512bc67dc281b44f2a75f596e5dc4969292f12406b6dfe24751d8d23aa93361ba6fc56ba04d88a3b7744e307cb7ff17ecfc7cf9aa3b0fba9c9c6c6a06d0456970b1