ca898de55807908e60ac2b2fd5d121fad3bae8e2f1facffad01f83741ef7c3e7

General

Target

eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
Size

24KB
MD5

eba294062d83291164fbe084cf076ebc
SHA1

0685a368d99c938d5af514c0985e8a436d7b80f3
SHA256

ca898de55807908e60ac2b2fd5d121fad3bae8e2f1facffad01f83741ef7c3e7
SHA512

7e946e890b349e2d6c08da0e1f6497a879b76239b3e71ff26ce0091b4a120dc525c720f9f48380d6e3eb40778085fb53b60383ede9989c64a7c2150940802e79
SSDEEP

384:/30T352o3pGmjLRxANhafz4cDgjsNWAG56:CI0YmHkNhhcU4

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Windows\\System32\\SystemTimer-5474596193354\\csrs.exe"	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RegWindowsUpdateXPtoVista.bat	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemTimer-5474596193354\csrs.exe	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemTimer-5474596193354\csrs.exe	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemTimer-5474596193354\Security.dat	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemTimer-5474596193354\SecurityReference.dat	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemTimer-5474596193354\SecurityReference.dat	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4420	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 1112	4420	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe	94
PID 4420 wrote to memory of 1112	4420	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe	94
PID 4420 wrote to memory of 1112	4420	eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe	94
PID 1112 wrote to memory of 4916	1112	cmd.exe	96
PID 1112 wrote to memory of 4916	1112	cmd.exe	96
PID 1112 wrote to memory of 4916	1112	cmd.exe	96
PID 1112 wrote to memory of 768	1112	cmd.exe	97
PID 1112 wrote to memory of 768	1112	cmd.exe	97
PID 1112 wrote to memory of 768	1112	cmd.exe	97
PID 1112 wrote to memory of 3436	1112	cmd.exe	98
PID 1112 wrote to memory of 3436	1112	cmd.exe	98
PID 1112 wrote to memory of 3436	1112	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eba294062d83291164fbe084cf076ebc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\RegWindowsUpdateXPtoVista.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 0x00000001 /f
    3⤵
    - Windows security bypass
    PID:4916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\System\CurrentControlSet\Serices\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0x00000000 /f
    3⤵
    PID:768
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 0x00000001 /f
    3⤵
    - Windows security bypass
    PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RegWindowsUpdateXPtoVista.bat

Filesize
382B

MD5
1d57d9e49337b689e9c2b74a415cf023

SHA1
2c133ac97da77e9efbde350765d5d21d303203d3

SHA256
c8cd53423483d7ea743f73d4cb3e9a5d9d4f54e3499c59eac8cef900c8bba483

SHA512
a0560c190a6cb8aa3e992aadacdeedd76a4ac335f4196907bdfc31791e3e84d6c117a1c012b158cd672821f64868f45e292907808bc6be0c4759d53e3d36684b

Download Submit
C:\Windows\SysWOW64\SystemTimer-5474596193354\SecurityReference.dat

Filesize
86B

MD5
d8b7d78dd5e4bffa3aa8a768327f9434

SHA1
ef1cb6b0cffdd9fab383f17892848f51bf26839a

SHA256
a12ec8a0ce2bde177ba5630a01ae2484eac78fac4d303180b41c6de2416b6f7a

SHA512
383945fc24f0d60c3a572f6b3e4eb992647ff5756da246010bb4e16e43331f7b517888e52c1ed033de043dd85583caaebb8a1b5ef4d70dff3a3b73ca87c66941

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads