Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe
-
Size
320KB
-
MD5
2dd02ccf7a6df802b1324389ea4906e5
-
SHA1
3a0c5200f2141fabde18ee56b5a86b23fd5399a9
-
SHA256
d29deb9d361f4cae9aed1fd87448ed683cc3418defa20bc84946581bb02ef309
-
SHA512
295b56536cf8aef5d1025c79886d17b1bdbb4211acb26acaa919921f68ee5ab4abfe228ba97f98186df09f02083c41ea306b56b06f4e85d292627962ec254a26
-
SSDEEP
6144:g4KsCYthSgTwEXat/el4l00CTR4HjvmwOM1:g4tCYHqEXY/e3VQx1
Malware Config
Extracted
phorphiex
http://193.32.161.73/
http://gosurrhrguhr.cc/
http://goheufuhufdr.cc/
http://olruheuuruur.cc/
http://buaeabguguur.cc/
http://ebgiaueghuur.cc/
http://bfbaiefiheir.cc/
http://eeeieiieirdr.cc/
http://abfeiagihisr.cc/
http://nkoaefuhfuhr.cc/
http://ezaziiezfzgr.cc/
http://egaueuefuhgr.cc/
http://aoufauhuefur.cc/
http://aieiiieitter.cc/
http://miokpkaeofkr.cc/
http://rzauerzueutr.cc/
http://gosurrhrguho.co/
http://goheufuhufdo.co/
http://olruheuuruuo.co/
http://buaeabguguuo.co/
http://ebgiaueghuuo.co/
http://bfbaiefiheio.co/
http://eeeieiieirdo.co/
http://abfeiagihiso.co/
http://nkoaefuhfuho.co/
http://ezaziiezfzgo.co/
http://egaueuefuhgo.co/
http://aoufauhuefuo.co/
http://aieiiieitteo.co/
http://miokpkaeofko.co/
http://rzauerzueuto.co/
http://gosurrhrguhp.io/
1L6sJ7pmk6EGMUoTmpdbLez9dXACcirRHh
qzgdgnfd805z83wpu04rhld0yqs4dlrd35ll0ltqql
Xt8ZtCcG9BFoc7NfUNBVnxcTvYT4mmzh5i
D7otx94yAiXMUuuff23v8PAYH5XpkdQ89M
0xa5228127395263575a4b4f532e4f132b14599d24
LUMrZN6GTetcrXtzMmRayLpRN9JrCNcTe7
t1PVHo3JR9ZAxMxRXgTziGBeDwfb5Gwm64z
Signatures
-
Processes:
sysidnu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" sysidnu.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection sysidnu.exe -
Phorphiex payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1760-2-0x0000000002210000-0x000000000221B000-memory.dmp family_phorphiex behavioral2/memory/3840-11-0x00000000005B0000-0x00000000005BB000-memory.dmp family_phorphiex behavioral2/memory/3840-12-0x00000000005B0000-0x00000000005BB000-memory.dmp family_phorphiex -
Processes:
sysidnu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysidnu.exe -
Executes dropped EXE 1 IoCs
Processes:
sysidnu.exepid process 3840 sysidnu.exe -
Processes:
sysidnu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" sysidnu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysidnu.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\217602435\\sysidnu.exe" 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\217602435\\sysidnu.exe" 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\217602435\sysidnu.exe 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe File opened for modification C:\Windows\217602435 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe File created C:\Windows\217602435\sysidnu.exe 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exesysidnu.exepid process 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe 3840 sysidnu.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exesysidnu.exedescription pid process Token: SeDebugPrivilege 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe Token: SeDebugPrivilege 3840 sysidnu.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exesysidnu.exepid process 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe 3840 sysidnu.exe 3840 sysidnu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exedescription pid process target process PID 1760 wrote to memory of 3840 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe sysidnu.exe PID 1760 wrote to memory of 3840 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe sysidnu.exe PID 1760 wrote to memory of 3840 1760 2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe sysidnu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2dd02ccf7a6df802b1324389ea4906e5_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\217602435\sysidnu.exeC:\Windows\217602435\sysidnu.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\217602435\sysidnu.exeFilesize
320KB
MD52dd02ccf7a6df802b1324389ea4906e5
SHA13a0c5200f2141fabde18ee56b5a86b23fd5399a9
SHA256d29deb9d361f4cae9aed1fd87448ed683cc3418defa20bc84946581bb02ef309
SHA512295b56536cf8aef5d1025c79886d17b1bdbb4211acb26acaa919921f68ee5ab4abfe228ba97f98186df09f02083c41ea306b56b06f4e85d292627962ec254a26
-
memory/1760-0-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/1760-1-0x0000000000430000-0x0000000000437000-memory.dmpFilesize
28KB
-
memory/1760-2-0x0000000002210000-0x000000000221B000-memory.dmpFilesize
44KB
-
memory/1760-10-0x0000000000430000-0x0000000000437000-memory.dmpFilesize
28KB
-
memory/3840-8-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/3840-11-0x00000000005B0000-0x00000000005BB000-memory.dmpFilesize
44KB
-
memory/3840-12-0x00000000005B0000-0x00000000005BB000-memory.dmpFilesize
44KB