Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe
-
Size
344KB
-
MD5
ffe2d2dd736ffefc03ab601d330371c6
-
SHA1
e255f41fe960ab48929fa65a32785f3e8c5a3abc
-
SHA256
67672f834f933fed057ef630293221a5a46687c1d1656776cf378b8637062447
-
SHA512
7b8b07e785ee2b6ce2e5db6ee825e220d6ce2ea480f83dc78d7d863f8e9fee3e3f16d5039f3fe09231a5e06babbd00ebd9b41dc2e63bcfb26ff9cbc6cd026a15
-
SSDEEP
6144:7rOYeg8hY2Uw/M9sKBsEhPSVqW6kti4zDDcyMHKi4OTxXVmev+knrY2OM5t:27g8hYLa/4SVN6EzPcyMHKBOTxlmev+F
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000BB725B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000BB725B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2860 043A6A5B00014973000BB725B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 043A6A5B00014973000BB725B4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000BB725B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000BB725B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000BB725B4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\start\command 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\runas\command 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\runas 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe\ = "043A6" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6A5B00014973000BB725B4EB2331\\043A6A5B00014973000BB725B4EB2331.exe\" -s \"%1\" %*" 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\start 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\open\command 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\DefaultIcon 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\shell\open 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.exe 043A6A5B00014973000BB725B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\%s 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\%s\ = "043A6" 043A6A5B00014973000BB725B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\043A6\ = "Application" 043A6A5B00014973000BB725B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2860 043A6A5B00014973000BB725B4EB2331.exe 2860 043A6A5B00014973000BB725B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2860 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe 28 PID 1884 wrote to memory of 2860 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe 28 PID 1884 wrote to memory of 2860 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe 28 PID 1884 wrote to memory of 2860 1884 ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000BB725B4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe"C:\ProgramData\043A6A5B00014973000BB725B4EB2331\043A6A5B00014973000BB725B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\ffe2d2dd736ffefc03ab601d330371c6_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD524a93889b716315baaba6ee76b3daaa5
SHA13b99f11f0e9f632e5b3f00fb616011ee8d3bc906
SHA25676ca4b3f653b9cfa0a891b05095dbed3a2b1569743bfee96c163ca6a41c4d5b4
SHA512fe912058b2c9248db9d01edfc8a3494310d3a501cace9c0afcf33dbf8d2c2cd39679456b2b045dc8182129606acfd4e516213438dd20108834336b2cc383b777
-
Filesize
344KB
MD5ffe2d2dd736ffefc03ab601d330371c6
SHA1e255f41fe960ab48929fa65a32785f3e8c5a3abc
SHA25667672f834f933fed057ef630293221a5a46687c1d1656776cf378b8637062447
SHA5127b8b07e785ee2b6ce2e5db6ee825e220d6ce2ea480f83dc78d7d863f8e9fee3e3f16d5039f3fe09231a5e06babbd00ebd9b41dc2e63bcfb26ff9cbc6cd026a15