a562ec385a88d986cc5b2bcf4436b6b338f05e2945267ac47a7f19c0a7c1fd2a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Size

364KB
MD5

f4437846c813f516d61e9e6b11f51ccf
SHA1

dc3ee517da83258c6ea6762e700304bdb4d80732
SHA256

a562ec385a88d986cc5b2bcf4436b6b338f05e2945267ac47a7f19c0a7c1fd2a
SHA512

ed2d9b58c47bae6f6373e660d2c6b90301ceda88b551c8ff882ffebcc8fa79df1873e264d6700dfbcd09ba93d3ef476400fbb4baf9a2712d80e540a8edeacad6
SSDEEP

6144:S9t/G4OXBICA5J+1HfabCAB5n25iV27mPAntKyBFhx8K7zHJFHm0qcWR/TCeI0WU:S9t+lcj+1/abvq5K5AtKcFhGozpFHXFE

Score

10^/10

evasion trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2944	043A6A5B00014973000B88E7B4EB2331.exe

Loads dropped DLL 2 IoCs

pid	Process
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	043A6A5B00014973000B88E7B4EB2331.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	043A6A5B00014973000B88E7B4EB2331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	043A6A5B00014973000B88E7B4EB2331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	043A6A5B00014973000B88E7B4EB2331.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
2944	043A6A5B00014973000B88E7B4EB2331.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2944	1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2944	1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2944	1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2944	1460	f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460
- C:\ProgramData\043A6A5B00014973000B88E7B4EB2331\043A6A5B00014973000B88E7B4EB2331.exe
  "C:\ProgramData\043A6A5B00014973000B88E7B4EB2331\043A6A5B00014973000B88E7B4EB2331.exe" "C:\Users\Admin\AppData\Local\Temp\f4437846c813f516d61e9e6b11f51ccf_JaffaCakes118.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\043A6A5B00014973000B88E7B4EB2331\043A6A5B00014973000B88E7B4EB2331.exe

Filesize
364KB

MD5
f4437846c813f516d61e9e6b11f51ccf

SHA1
dc3ee517da83258c6ea6762e700304bdb4d80732

SHA256
a562ec385a88d986cc5b2bcf4436b6b338f05e2945267ac47a7f19c0a7c1fd2a

SHA512
ed2d9b58c47bae6f6373e660d2c6b90301ceda88b551c8ff882ffebcc8fa79df1873e264d6700dfbcd09ba93d3ef476400fbb4baf9a2712d80e540a8edeacad6

Download Submit
memory/1460-2-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1460-1-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/1460-0-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1460-16-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1460-20-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2944-11-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2944-12-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/2944-15-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download