861a86d8deb2e334993e09825ac1df181a5aa3c714fed8cc32155a16a71cdd5c

General

Target

4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
Size

142KB
MD5

4a9e4b153ab1bcde22b498abde466ca5
SHA1

9fa6be8c7ce0e5671592effa407572a4b93770b7
SHA256

861a86d8deb2e334993e09825ac1df181a5aa3c714fed8cc32155a16a71cdd5c
SHA512

0f55df581e41f86a82e5b4276cff71938e6b9d621a3f2020c997e784a4d7eb4a8cb74eb69dbaefe93df2d68b45167ac2efce61f22a1537d08b0ff952b63a19c1
SSDEEP

1536:WE1sdTxdrdL5txDCBOpJHxWk7WbOi25t9MUDaoHtqmNyfKcnUvmaj3au4S5EWRwX:ULTxNfECx9MUpNZNGUvmi3qS5EX4Lr

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

winsvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe

Executes dropped EXE 1 IoCs

Processes:

winsvcs.exe

pid process

2320 winsvcs.exe
Loads dropped DLL 2 IoCs

Processes:

4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

pid process

836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

pid	process
2320	winsvcs.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T400660040302845060\\winsvcs.exe"	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T400660040302845060\\winsvcs.exe"	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\T400660040302845060\winsvcs.exe	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
File opened for modification	C:\Windows\T400660040302845060\winsvcs.exe	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
File opened for modification	C:\Windows\T400660040302845060	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exewinsvcs.exe

pid	process
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe
2320	winsvcs.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe

description	pid	process	target process
PID 836 wrote to memory of 2320	836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe	winsvcs.exe
PID 836 wrote to memory of 2320	836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe	winsvcs.exe
PID 836 wrote to memory of 2320	836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe	winsvcs.exe
PID 836 wrote to memory of 2320	836	4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe	winsvcs.exe

C:\Users\Admin\AppData\Local\Temp\4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\T400660040302845060\winsvcs.exe
C:\Windows\T400660040302845060\winsvcs.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\T400660040302845060\winsvcs.exe

Filesize
142KB

MD5
17288b8ab3a73d46e5fa136c79eff181

SHA1
30f0b572ce01ae16a8de46fce0edbe3d13042502

SHA256
684e8e0de1228bf558f81fc3c560361c8cfb33e1c2bd1b9c594d903b25c17209

SHA512
ce2ccd70343755854a3b07a338fa023c1e5f15046b57271c6c21830d5358f9f16765591e03bb794ba69893ac5787052a6d2e7a7f2fe3045c876bcd3b7900f750

Download Submit
memory/836-1-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/836-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/836-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2320-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads