Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 02:54
Behavioral task
behavioral1
Sample
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
-
Size
57KB
-
MD5
22e422508a4d16745e129af689b8b6b6
-
SHA1
a19b0376c3fd613d3f83084a3ed18f58aafcbc63
-
SHA256
31fee21f74a3be7ddc0947ff40c941a68545a7f183e56c52b4830c0dbb815a89
-
SHA512
9706b79d350c94211563db7db5ff560310fcae9dd0b77d70c93105588e181a5fb61e737b7b725d8d04ad129defb9bc40e7be54210b9a43f40905e69adc31f20d
-
SSDEEP
768:klUBNsYBS5uzBPhAM4uXGG5bOM5kxoO3YYO4KwUw7V3JPjG5d:yUzsCS5udh2G5bOM5kx13Y4v3tS5
Malware Config
Signatures
-
Processes:
taskhostw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" taskhostw.exe -
Phorphiex payload 1 IoCs
Processes:
resource yara_rule \17080295423073\taskhostw.exe family_phorphiex -
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taskhostw.exe -
Executes dropped EXE 1 IoCs
Processes:
taskhostw.exepid process 2708 taskhostw.exe -
Loads dropped DLL 4 IoCs
Processes:
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exeWerFault.exepid process 1924 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe 2268 WerFault.exe 2268 WerFault.exe 2268 WerFault.exe -
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" taskhostw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\17080295423073\\taskhostw.exe" 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\17080295423073\\taskhostw.exe" 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
taskhostw.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe taskhostw.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2268 2708 WerFault.exe taskhostw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exetaskhostw.exedescription pid process target process PID 1924 wrote to memory of 2708 1924 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe PID 1924 wrote to memory of 2708 1924 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe PID 1924 wrote to memory of 2708 1924 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe PID 1924 wrote to memory of 2708 1924 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe PID 2708 wrote to memory of 2268 2708 taskhostw.exe WerFault.exe PID 2708 wrote to memory of 2268 2708 taskhostw.exe WerFault.exe PID 2708 wrote to memory of 2268 2708 taskhostw.exe WerFault.exe PID 2708 wrote to memory of 2268 2708 taskhostw.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\17080295423073\taskhostw.exeC:\17080295423073\taskhostw.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 18083⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\17080295423073\taskhostw.exeFilesize
57KB
MD522e422508a4d16745e129af689b8b6b6
SHA1a19b0376c3fd613d3f83084a3ed18f58aafcbc63
SHA25631fee21f74a3be7ddc0947ff40c941a68545a7f183e56c52b4830c0dbb815a89
SHA5129706b79d350c94211563db7db5ff560310fcae9dd0b77d70c93105588e181a5fb61e737b7b725d8d04ad129defb9bc40e7be54210b9a43f40905e69adc31f20d