Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe
-
Size
643KB
-
MD5
388b85eb5ecd9320a1064d7074248253
-
SHA1
f863380c12b20e8a61c506dc02f6861b66093aa4
-
SHA256
68657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
-
SHA512
ed095b0e047aeadf7df97ca8b41807feff70c34e3c256e4cd0336235811fd1102514da133810dd364a4473cb0085cf7f6dce254b5a0b95f254f2728185dcb465
-
SSDEEP
6144:szEVDCe1/nxlwa7WAj095ZnV/0Aw2zoYOqrW54aUsN4nNkDB8qU9xyuB+B:szUDD/xlwKWA4Vg5q2UsN49qU9KB
Malware Config
Extracted
phorphiex
http://88.218.16.27/
http://tldrbox.top/
http://ghiehigeahghehg.ru/
http://aeouhefuehfuehf.ru/
http://uefuueahhfuuaht.ru/
http://afheaufuehafhhg.ru/
http://afaeufuegfugfug.ru/
http://fahfihhefihaehf.ru/
http://fuegufaefuegfgr.ru/
http://feufhuehfhufuhg.ru/
http://efieifihihdihhg.ru/
http://aefihiehfheihfh.ru/
http://aefihaeifhefihh.ru/
http://eafuefiuaihfief.ru/
http://egesgshretteztz.ru/
http://egohoshgsrhoror.ru/
http://eihehgeojfurrie.ru/
http://etehteirhehrihh.ru/
http://wegihwehwhhirht.ru/
http://wiiwurtiwrutiut.ru/
http://weieuuueueuruur.ru/
http://efihhfishihefit.ru/
http://ghiehigeahghehg.su/
http://aeouhefuehfuehf.su/
http://uefuueahhfuuaht.su/
http://afheaufuehafhhg.su/
http://afaeufuegfugfug.su/
http://fahfihhefihaehf.s
1DhR14ZJtGzfdeemj49Jje6D3ZHEZQh6P3
3EzR2S3wTiiyokZE9bvY82FZiPA5m45SAC
qz95vtk4m2rw0lh7dqzlte7yasxrun47svq32p2w08
Xj2wdxqZ1pBadtPkc1mmF24QExHrZASNj6
DDhtw2BZwE12tVyQrrHFWA7u1aeD4bfa58
0xAc9A31bB9E9A3887FfC9513a93dd6da7EC648345
MJU87911Csqcutpza84nEQ2wZNn6X2b7iV
t1Lp6Cy2d63yV5H1n2LQrJwEgLXuVho43PA
Signatures
-
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" svchost.exe -
Phorphiex payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1812-7-0x0000000000050000-0x000000000015B000-memory.dmp family_phorphiex behavioral1/memory/2556-11-0x0000000000AD0000-0x0000000000BDB000-memory.dmp family_phorphiex -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2556 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exepid process 1812 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\95312420223943\\svchost.exe" 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\95312420223943\\svchost.exe" 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exedescription ioc process File created C:\Windows\95312420223943\svchost.exe 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe File opened for modification C:\Windows\95312420223943\svchost.exe 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe File opened for modification C:\Windows\95312420223943 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exedescription pid process target process PID 1812 wrote to memory of 2556 1812 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe svchost.exe PID 1812 wrote to memory of 2556 1812 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe svchost.exe PID 1812 wrote to memory of 2556 1812 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe svchost.exe PID 1812 wrote to memory of 2556 1812 388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\388b85eb5ecd9320a1064d7074248253_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\95312420223943\svchost.exeC:\Windows\95312420223943\svchost.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\95312420223943\svchost.exeFilesize
643KB
MD5388b85eb5ecd9320a1064d7074248253
SHA1f863380c12b20e8a61c506dc02f6861b66093aa4
SHA25668657be04f5b550fec4671437e5dc5849408eada96f5ff44cb0972b0e28ca5be
SHA512ed095b0e047aeadf7df97ca8b41807feff70c34e3c256e4cd0336235811fd1102514da133810dd364a4473cb0085cf7f6dce254b5a0b95f254f2728185dcb465
-
memory/1812-0-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1812-8-0x00000000002E0000-0x0000000000300000-memory.dmpFilesize
128KB
-
memory/1812-7-0x0000000000050000-0x000000000015B000-memory.dmpFilesize
1.0MB
-
memory/2556-9-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2556-11-0x0000000000AD0000-0x0000000000BDB000-memory.dmpFilesize
1.0MB