a4470a3fc24703976217fd9aeb6758c8d09ead5ea8cdf114c287b559b63f0b7d

Analysis

max time kernel
94s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
Size

32KB
MD5

f4f7e6f813317dfdb521e9a4c8701cb9
SHA1

5e135676cf3dff7920469379682c8d99c317c0f0
SHA256

a4470a3fc24703976217fd9aeb6758c8d09ead5ea8cdf114c287b559b63f0b7d
SHA512

535e57f7eef29823e643bd93ea170ee1eb3572a1f521e6be76ee3bbef91de3a727e6c73909901f97dca9f038f76d9548626de1479d5ebff4b6de802987067e17
SSDEEP

384:29oqDswpeD68I4c0hWQGyrEbwuA4d37SrFYg/9WLKSDZyn4f:2iaswMLI4cnLyrEbwuA4d37EYgsLvo4

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2752	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	84
PID 1140 wrote to memory of 2752	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	84
PID 1140 wrote to memory of 2752	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	84
PID 1140 wrote to memory of 4436	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	85
PID 1140 wrote to memory of 4436	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	85
PID 1140 wrote to memory of 4436	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	85
PID 1140 wrote to memory of 3940	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	86
PID 1140 wrote to memory of 3940	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	86
PID 1140 wrote to memory of 3940	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	86
PID 1140 wrote to memory of 3436	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	87
PID 1140 wrote to memory of 3436	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	87
PID 1140 wrote to memory of 3436	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	87
PID 1140 wrote to memory of 4384	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	88
PID 1140 wrote to memory of 4384	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	88
PID 1140 wrote to memory of 4384	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	88
PID 4436 wrote to memory of 1792	4436	cmd.exe	94
PID 4436 wrote to memory of 1792	4436	cmd.exe	94
PID 4436 wrote to memory of 1792	4436	cmd.exe	94
PID 1792 wrote to memory of 796	1792	net.exe	95
PID 1792 wrote to memory of 796	1792	net.exe	95
PID 1792 wrote to memory of 796	1792	net.exe	95
PID 4384 wrote to memory of 3720	4384	cmd.exe	96
PID 4384 wrote to memory of 3720	4384	cmd.exe	96
PID 4384 wrote to memory of 3720	4384	cmd.exe	96
PID 2752 wrote to memory of 3976	2752	cmd.exe	97
PID 2752 wrote to memory of 3976	2752	cmd.exe	97
PID 2752 wrote to memory of 3976	2752	cmd.exe	97
PID 3976 wrote to memory of 2516	3976	net.exe	98
PID 3976 wrote to memory of 2516	3976	net.exe	98
PID 3976 wrote to memory of 2516	3976	net.exe	98
PID 3436 wrote to memory of 4808	3436	cmd.exe	99
PID 3436 wrote to memory of 4808	3436	cmd.exe	99
PID 3436 wrote to memory of 4808	3436	cmd.exe	99
PID 1140 wrote to memory of 3948	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	106
PID 1140 wrote to memory of 3948	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	106
PID 1140 wrote to memory of 3948	1140	f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe	106

C:\Users\Admin\AppData\Local\Temp\f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f4f7e6f813317dfdb521e9a4c8701cb9_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\net.exe
    net stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:796
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C C:\0.
  2⤵
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads