Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 02:54
Behavioral task
behavioral1
Sample
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe
-
Size
57KB
-
MD5
22e422508a4d16745e129af689b8b6b6
-
SHA1
a19b0376c3fd613d3f83084a3ed18f58aafcbc63
-
SHA256
31fee21f74a3be7ddc0947ff40c941a68545a7f183e56c52b4830c0dbb815a89
-
SHA512
9706b79d350c94211563db7db5ff560310fcae9dd0b77d70c93105588e181a5fb61e737b7b725d8d04ad129defb9bc40e7be54210b9a43f40905e69adc31f20d
-
SSDEEP
768:klUBNsYBS5uzBPhAM4uXGG5bOM5kxoO3YYO4KwUw7V3JPjG5d:yUzsCS5udh2G5bOM5kx13Y4v3tS5
Malware Config
Signatures
-
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" taskhostw.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection taskhostw.exe -
Phorphiex payload 1 IoCs
Processes:
resource yara_rule C:\287072213927849\taskhostw.exe family_phorphiex -
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taskhostw.exe -
Executes dropped EXE 1 IoCs
Processes:
taskhostw.exepid process 3464 taskhostw.exe -
Processes:
taskhostw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" taskhostw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" taskhostw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\287072213927849\\taskhostw.exe" 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Tasks = "C:\\287072213927849\\taskhostw.exe" 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
Processes:
taskhostw.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe taskhostw.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3876 3464 WerFault.exe taskhostw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exedescription pid process target process PID 944 wrote to memory of 3464 944 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe PID 944 wrote to memory of 3464 944 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe PID 944 wrote to memory of 3464 944 22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe taskhostw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22e422508a4d16745e129af689b8b6b6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\287072213927849\taskhostw.exeC:\287072213927849\taskhostw.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 13043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3464 -ip 34641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\287072213927849\taskhostw.exeFilesize
57KB
MD522e422508a4d16745e129af689b8b6b6
SHA1a19b0376c3fd613d3f83084a3ed18f58aafcbc63
SHA25631fee21f74a3be7ddc0947ff40c941a68545a7f183e56c52b4830c0dbb815a89
SHA5129706b79d350c94211563db7db5ff560310fcae9dd0b77d70c93105588e181a5fb61e737b7b725d8d04ad129defb9bc40e7be54210b9a43f40905e69adc31f20d