Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 16:10
Static task
static1
Behavioral task
behavioral1
Sample
356e3491786ba260977987d91967dfca_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
356e3491786ba260977987d91967dfca_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
356e3491786ba260977987d91967dfca_JaffaCakes118.exe
-
Size
137KB
-
MD5
356e3491786ba260977987d91967dfca
-
SHA1
fd3d8ad881948a9a9a3e92fa6a77c1fc2bbd8e8c
-
SHA256
2528551adf2d1cf79b73e2f35c514d6ec2969f9af1c2d914ccce2ed87efa7441
-
SHA512
7514bdd9b412b7f86ee9aecd2b46ed3a69afbf52144d5a43d94d3b8c7c63d36e1aba38fa53ce6210a6a1fb88156f35a5573c162ec3d9ccf61c0c46fc60a0b95b
-
SSDEEP
1536:cUbpQ4OPtBT3g/qKeoVXBbH1l6Aj8ln5gAgtqF:NhW8eUBTZQTg
Malware Config
Signatures
-
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" winsvcs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection winsvcs.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsvcs.exe -
Executes dropped EXE 1 IoCs
Processes:
winsvcs.exepid process 3036 winsvcs.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
356e3491786ba260977987d91967dfca_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services Up = "C:\\Windows\\T706580746870\\winsvcs.exe" 356e3491786ba260977987d91967dfca_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services Up = "C:\\Windows\\T706580746870\\winsvcs.exe" 356e3491786ba260977987d91967dfca_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
356e3491786ba260977987d91967dfca_JaffaCakes118.exedescription ioc process File created C:\Windows\T706580746870\winsvcs.exe 356e3491786ba260977987d91967dfca_JaffaCakes118.exe File opened for modification C:\Windows\T706580746870\winsvcs.exe 356e3491786ba260977987d91967dfca_JaffaCakes118.exe File opened for modification C:\Windows\T706580746870 356e3491786ba260977987d91967dfca_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
356e3491786ba260977987d91967dfca_JaffaCakes118.exewinsvcs.exepid process 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe 3036 winsvcs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
356e3491786ba260977987d91967dfca_JaffaCakes118.exedescription pid process target process PID 4944 wrote to memory of 3036 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe winsvcs.exe PID 4944 wrote to memory of 3036 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe winsvcs.exe PID 4944 wrote to memory of 3036 4944 356e3491786ba260977987d91967dfca_JaffaCakes118.exe winsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\356e3491786ba260977987d91967dfca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\356e3491786ba260977987d91967dfca_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\T706580746870\winsvcs.exeC:\Windows\T706580746870\winsvcs.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\T706580746870\winsvcs.exeFilesize
137KB
MD5356e3491786ba260977987d91967dfca
SHA1fd3d8ad881948a9a9a3e92fa6a77c1fc2bbd8e8c
SHA2562528551adf2d1cf79b73e2f35c514d6ec2969f9af1c2d914ccce2ed87efa7441
SHA5127514bdd9b412b7f86ee9aecd2b46ed3a69afbf52144d5a43d94d3b8c7c63d36e1aba38fa53ce6210a6a1fb88156f35a5573c162ec3d9ccf61c0c46fc60a0b95b