Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe
-
Size
320KB
-
MD5
2dd02ccf7a6df802b1324389ea4906e5
-
SHA1
3a0c5200f2141fabde18ee56b5a86b23fd5399a9
-
SHA256
d29deb9d361f4cae9aed1fd87448ed683cc3418defa20bc84946581bb02ef309
-
SHA512
295b56536cf8aef5d1025c79886d17b1bdbb4211acb26acaa919921f68ee5ab4abfe228ba97f98186df09f02083c41ea306b56b06f4e85d292627962ec254a26
-
SSDEEP
6144:g4KsCYthSgTwEXat/el4l00CTR4HjvmwOM1:g4tCYHqEXY/e3VQx1
Malware Config
Extracted
phorphiex
http://193.32.161.73/
http://gosurrhrguhr.cc/
http://goheufuhufdr.cc/
http://olruheuuruur.cc/
http://buaeabguguur.cc/
http://ebgiaueghuur.cc/
http://bfbaiefiheir.cc/
http://eeeieiieirdr.cc/
http://abfeiagihisr.cc/
http://nkoaefuhfuhr.cc/
http://ezaziiezfzgr.cc/
http://egaueuefuhgr.cc/
http://aoufauhuefur.cc/
http://aieiiieitter.cc/
http://miokpkaeofkr.cc/
http://rzauerzueutr.cc/
http://gosurrhrguho.co/
http://goheufuhufdo.co/
http://olruheuuruuo.co/
http://buaeabguguuo.co/
http://ebgiaueghuuo.co/
http://bfbaiefiheio.co/
http://eeeieiieirdo.co/
http://abfeiagihiso.co/
http://nkoaefuhfuho.co/
http://ezaziiezfzgo.co/
http://egaueuefuhgo.co/
http://aoufauhuefuo.co/
http://aieiiieitteo.co/
http://miokpkaeofko.co/
http://rzauerzueuto.co/
http://gosurrhrguhp.io/
1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh
qzgdgnfd805z83wpu04rhld0yqs4dlrd35ll0ltqql
Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i
D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M
0xa5228127395263575a4b4f532e4f132b14599d24
LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7
t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z
Signatures
-
Processes:
syslmri.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" syslmri.exe -
Phorphiex payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1724-3-0x0000000000270000-0x000000000027B000-memory.dmp family_phorphiex behavioral1/memory/2916-15-0x0000000000370000-0x000000000037B000-memory.dmp family_phorphiex behavioral1/memory/2916-16-0x0000000000370000-0x000000000037B000-memory.dmp family_phorphiex -
Processes:
syslmri.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmri.exe -
Executes dropped EXE 1 IoCs
Processes:
syslmri.exepid process 2916 syslmri.exe -
Loads dropped DLL 2 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exepid process 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe -
Processes:
syslmri.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syslmri.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" syslmri.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\2388727050\\syslmri.exe" 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\2388727050\\syslmri.exe" 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exedescription ioc process File created C:\Windows\2388727050\syslmri.exe 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe File opened for modification C:\Windows\2388727050\syslmri.exe 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe File opened for modification C:\Windows\2388727050 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exesyslmri.exepid process 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe 2916 syslmri.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exesyslmri.exedescription pid process Token: SeDebugPrivilege 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe Token: SeDebugPrivilege 2916 syslmri.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exesyslmri.exepid process 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 2916 syslmri.exe 2916 syslmri.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exedescription pid process target process PID 1724 wrote to memory of 2916 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe syslmri.exe PID 1724 wrote to memory of 2916 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe syslmri.exe PID 1724 wrote to memory of 2916 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe syslmri.exe PID 1724 wrote to memory of 2916 1724 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe syslmri.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\2388727050\syslmri.exeC:\Windows\2388727050\syslmri.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\2388727050\syslmri.exeFilesize
320KB
MD52dd02ccf7a6df802b1324389ea4906e5
SHA13a0c5200f2141fabde18ee56b5a86b23fd5399a9
SHA256d29deb9d361f4cae9aed1fd87448ed683cc3418defa20bc84946581bb02ef309
SHA512295b56536cf8aef5d1025c79886d17b1bdbb4211acb26acaa919921f68ee5ab4abfe228ba97f98186df09f02083c41ea306b56b06f4e85d292627962ec254a26
-
memory/1724-1-0x0000000000430000-0x0000000000437000-memory.dmpFilesize
28KB
-
memory/1724-0-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/1724-3-0x0000000000270000-0x000000000027B000-memory.dmpFilesize
44KB
-
memory/1724-14-0x0000000000430000-0x0000000000437000-memory.dmpFilesize
28KB
-
memory/2916-12-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2916-15-0x0000000000370000-0x000000000037B000-memory.dmpFilesize
44KB
-
memory/2916-16-0x0000000000370000-0x000000000037B000-memory.dmpFilesize
44KB