Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 10:25
Static task
static1
Behavioral task
behavioral1
Sample
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe
-
Size
142KB
-
MD5
4a9e4b153ab1bcde22b498abde466ca5
-
SHA1
9fa6be8c7ce0e5671592effa407572a4b93770b7
-
SHA256
861a86d8deb2e334993e09825ac1df181a5aa3c714fed8cc32155a16a71cdd5c
-
SHA512
0f55df581e41f86a82e5b4276cff71938e6b9d621a3f2020c997e784a4d7eb4a8cb74eb69dbaefe93df2d68b45167ac2efce61f22a1537d08b0ff952b63a19c1
-
SSDEEP
1536:WE1sdTxdrdL5txDCBOpJHxWk7WbOi25t9MUDaoHtqmNyfKcnUvmaj3au4S5EWRwX:ULTxNfECx9MUpNZNGUvmi3qS5EX4Lr
Malware Config
Signatures
-
Processes:
winsvcs.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" winsvcs.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe -
Executes dropped EXE 1 IoCs
Processes:
winsvcs.exepid process 2320 winsvcs.exe -
Loads dropped DLL 2 IoCs
Processes:
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exepid process 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T400660040302845060\\winsvcs.exe" 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\Windows\\T400660040302845060\\winsvcs.exe" 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exedescription ioc process File created C:\Windows\T400660040302845060\winsvcs.exe 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe File opened for modification C:\Windows\T400660040302845060\winsvcs.exe 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe File opened for modification C:\Windows\T400660040302845060 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exewinsvcs.exepid process 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe 2320 winsvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exedescription pid process target process PID 836 wrote to memory of 2320 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe winsvcs.exe PID 836 wrote to memory of 2320 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe winsvcs.exe PID 836 wrote to memory of 2320 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe winsvcs.exe PID 836 wrote to memory of 2320 836 4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe winsvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a9e4b153ab1bcde22b498abde466ca5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\T400660040302845060\winsvcs.exeC:\Windows\T400660040302845060\winsvcs.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
PID:2320
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD517288b8ab3a73d46e5fa136c79eff181
SHA130f0b572ce01ae16a8de46fce0edbe3d13042502
SHA256684e8e0de1228bf558f81fc3c560361c8cfb33e1c2bd1b9c594d903b25c17209
SHA512ce2ccd70343755854a3b07a338fa023c1e5f15046b57271c6c21830d5358f9f16765591e03bb794ba69893ac5787052a6d2e7a7f2fe3045c876bcd3b7900f750