888dc10b372b04d9b39262d49a71f364521a98709da0fd279f985d316b7020f8

Analysis

max time kernel
6s
max time network
7s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 02:07

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-21T02:07:17Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240221-en/instance_23-dirty.qcow2\"}"

Report Analysis Logs

General

Target

fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe
Size

27KB
MD5

fe2e55553d1e268f12d027b629c130a5
SHA1

921006135f99fd61970217ae0ed02b347c10e8f7
SHA256

888dc10b372b04d9b39262d49a71f364521a98709da0fd279f985d316b7020f8
SHA512

1117bdc7c496ee954629ff80b4cf7cb212a6483748453f7e2c9194dfc94ced9d1c75a34d1f295d375141014e7a9a9c49d2400c08cc8acd6009ca332a20e138c6
SSDEEP

768:FSPzquiqFbBFi2qanSAAZD50MF8Ekbz4OHc:FS+uHFn5sD50M9opHc

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "2"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-0-0x0000000140000000-0x0000000140015000-memory.dmp	upx
behavioral1/memory/2796-16-0x0000000140000000-0x0000000140015000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2552	shutdown.exe
Token: SeRemoteShutdownPrivilege	2552	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2252	2796	fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2252	2796	fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2252	2796	fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2552	2252	cmd.exe	30
PID 2252 wrote to memory of 2552	2252	cmd.exe	30
PID 2252 wrote to memory of 2552	2252	cmd.exe	30
PID 2252 wrote to memory of 2688	2252	cmd.exe	32
PID 2252 wrote to memory of 2688	2252	cmd.exe	32
PID 2252 wrote to memory of 2688	2252	cmd.exe	32
PID 2252 wrote to memory of 2684	2252	cmd.exe	33
PID 2252 wrote to memory of 2684	2252	cmd.exe	33
PID 2252 wrote to memory of 2684	2252	cmd.exe	33
PID 2252 wrote to memory of 2656	2252	cmd.exe	34
PID 2252 wrote to memory of 2656	2252	cmd.exe	34
PID 2252 wrote to memory of 2656	2252	cmd.exe	34
PID 2252 wrote to memory of 2604	2252	cmd.exe	35
PID 2252 wrote to memory of 2604	2252	cmd.exe	35
PID 2252 wrote to memory of 2604	2252	cmd.exe	35
PID 2252 wrote to memory of 2572	2252	cmd.exe	36
PID 2252 wrote to memory of 2572	2252	cmd.exe	36
PID 2252 wrote to memory of 2572	2252	cmd.exe	36
PID 2252 wrote to memory of 2456	2252	cmd.exe	37
PID 2252 wrote to memory of 2456	2252	cmd.exe	37
PID 2252 wrote to memory of 2456	2252	cmd.exe	37
PID 2252 wrote to memory of 2992	2252	cmd.exe	38
PID 2252 wrote to memory of 2992	2252	cmd.exe	38
PID 2252 wrote to memory of 2992	2252	cmd.exe	38
PID 2252 wrote to memory of 2564	2252	cmd.exe	39
PID 2252 wrote to memory of 2564	2252	cmd.exe	39
PID 2252 wrote to memory of 2564	2252	cmd.exe	39
PID 2252 wrote to memory of 2608	2252	cmd.exe	40
PID 2252 wrote to memory of 2608	2252	cmd.exe	40
PID 2252 wrote to memory of 2608	2252	cmd.exe	40
PID 2252 wrote to memory of 2736	2252	cmd.exe	41
PID 2252 wrote to memory of 2736	2252	cmd.exe	41
PID 2252 wrote to memory of 2736	2252	cmd.exe	41
PID 2252 wrote to memory of 2712	2252	cmd.exe	42
PID 2252 wrote to memory of 2712	2252	cmd.exe	42
PID 2252 wrote to memory of 2712	2252	cmd.exe	42
PID 2252 wrote to memory of 2720	2252	cmd.exe	43
PID 2252 wrote to memory of 2720	2252	cmd.exe	43
PID 2252 wrote to memory of 2720	2252	cmd.exe	43
PID 2252 wrote to memory of 2636	2252	cmd.exe	44
PID 2252 wrote to memory of 2636	2252	cmd.exe	44
PID 2252 wrote to memory of 2636	2252	cmd.exe	44
PID 2252 wrote to memory of 2792	2252	cmd.exe	45
PID 2252 wrote to memory of 2792	2252	cmd.exe	45
PID 2252 wrote to memory of 2792	2252	cmd.exe	45
PID 2252 wrote to memory of 2488	2252	cmd.exe	46
PID 2252 wrote to memory of 2488	2252	cmd.exe	46
PID 2252 wrote to memory of 2488	2252	cmd.exe	46
PID 2252 wrote to memory of 1868	2252	cmd.exe	47
PID 2252 wrote to memory of 1868	2252	cmd.exe	47
PID 2252 wrote to memory of 1868	2252	cmd.exe	47
PID 2252 wrote to memory of 2728	2252	cmd.exe	48
PID 2252 wrote to memory of 2728	2252	cmd.exe	48
PID 2252 wrote to memory of 2728	2252	cmd.exe	48
PID 2252 wrote to memory of 2492	2252	cmd.exe	49
PID 2252 wrote to memory of 2492	2252	cmd.exe	49
PID 2252 wrote to memory of 2492	2252	cmd.exe	49
PID 2252 wrote to memory of 2696	2252	cmd.exe	50
PID 2252 wrote to memory of 2696	2252	cmd.exe	50
PID 2252 wrote to memory of 2696	2252	cmd.exe	50
PID 2252 wrote to memory of 2224	2252	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe2e55553d1e268f12d027b629c130a5_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\14B9.tmp\low.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 5 /c "Oxygen zostanie przeêÑczony w tryb KOMPATYBILNOùÅ. Wszystkie ustawienia zostanÑ przywrócone na domyÿlne."
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "3" /f
    3⤵
    PID:2688
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnService" /v "Start" /t REG_DWORD /d "3" /f
    3⤵
    PID:2684
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "2" /f
    3⤵
    PID:2656
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3c549" /v "Start" /t REG_DWORD /d "2" /f
    3⤵
    PID:2604
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /f
    3⤵
    PID:2572
- - C:\Windows\system32\reg.exe
    REG DELETE "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /f
    3⤵
    PID:2456
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 1 /f
    3⤵
    PID:2992
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v EnableSmartScreen /t REG_DWORD /d 1 /f
    3⤵
    PID:2564
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DisableDeviceDelete /t REG_DWORD /d 0 /f
    3⤵
    PID:2608
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wmiApSrv" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\sense" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2720
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SensorService" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SensorDataService" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2792
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SharedRealitySvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SensrSvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:1868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\UsoSvc" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2728
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Themes" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2696
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SENS" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2224
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\TabletInputService" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\FontCache" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2452
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WpnUserService" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2460
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\DeviceAssociationService" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\AppXSvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2480
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Spooler" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wuauserv" /V Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    PID:2524
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WaaSMedicSvc" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\DispBrokerDesktopSvc" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /V Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    PID:2940
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WSearch" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2968
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WpnService" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\StorSvc" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:1180
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2404
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Appinfo" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\KeyIso" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:1636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SEMgrSvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\BthAvctpSvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WbioSrvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\lfsvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2536
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WPDBusEnum" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2760
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\PhoneSvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2784
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\InstallService" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\camsvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2780
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\cbdhsvc_15bacae" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\edgeupdate" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2864
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wisvc" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\NcbService" /V Start /t REG_DWORD /d 3 /f
    3⤵
    PID:3004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\CDPSvc" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\LanmanServer" /V Start /t REG_DWORD /d 2 /f
    3⤵
    PID:1996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14B9.tmp\low.bat

Filesize
4KB

MD5
b4f7063beb4097c9e72ed1ad81152d13

SHA1
f98ddd81c8795c5ebddf7e2834b4e649aae58876

SHA256
17a4ab0867bd0244ee95b41c15850fbbe238baae56f091d956f610a0bdba5dc5

SHA512
c505675d4997808aaf84216ad9a7ba5ccc4f682bba4a7cb167cd00af5bf4e1233c13e332c0c38a4bdc487903908d503b6f3ca4889881827307a993b2b50a3596

Download Submit
memory/1736-18-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1964-17-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2796-0-0x0000000140000000-0x0000000140015000-memory.dmp

Filesize
84KB

Download
memory/2796-16-0x0000000140000000-0x0000000140015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads