Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 04:51
Static task
static1
Behavioral task
behavioral1
Sample
4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
-
Size
822KB
-
MD5
4e7cf999557893b08c6623c31c45b28d
-
SHA1
9f8a085de74277fe2fcd79d77037a0627b79ebc1
-
SHA256
e5184d8982254662e152b0f61fccf90d1230a6f173118a59bc53bc883992de26
-
SHA512
44711a040f3b5329d71b6f0fec1dd21adf16626ffacde92b28603b8358f81f9b8e76f68610629be9a62051273f14396ba7cd24eb87f89a60bca5260f8e337ef8
-
SSDEEP
24576:jYUneM0AEIl09L8fffGkPt0UBEw8qqauuNWKP1UAp9:jYSKAE1ifffJtaw8qBuucKP+A/
Malware Config
Signatures
-
DarkTrack payload 11 IoCs
resource yara_rule behavioral1/memory/1644-36-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-34-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-32-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-30-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-28-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-26-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-40-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-41-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-39-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-82-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/1644-81-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe\"" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3024 powershell.exe 2592 powershell.exe 2708 powershell.exe 2588 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 pastebin.com 4 pastebin.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2940 set thread context of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1856 2940 WerFault.exe 27 -
Delays execution with timeout.exe 1 IoCs
pid Process 3044 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2592 powershell.exe 2708 powershell.exe 2588 powershell.exe 3024 powershell.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1644 aspnet_state.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2940 wrote to memory of 3044 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 28 PID 2940 wrote to memory of 3044 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 28 PID 2940 wrote to memory of 3044 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 28 PID 2940 wrote to memory of 3044 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 28 PID 2940 wrote to memory of 3024 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 30 PID 2940 wrote to memory of 3024 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 30 PID 2940 wrote to memory of 3024 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 30 PID 2940 wrote to memory of 3024 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 30 PID 2940 wrote to memory of 2592 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2592 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2592 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2592 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 32 PID 2940 wrote to memory of 2708 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2708 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2708 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2708 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 34 PID 2940 wrote to memory of 2588 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 36 PID 2940 wrote to memory of 2588 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 36 PID 2940 wrote to memory of 2588 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 36 PID 2940 wrote to memory of 2588 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 36 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 38 PID 2940 wrote to memory of 1856 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 40 PID 2940 wrote to memory of 1856 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 40 PID 2940 wrote to memory of 1856 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 40 PID 2940 wrote to memory of 1856 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe 40 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39 PID 1644 wrote to memory of 1032 1644 aspnet_state.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\timeout.exetimeout 42⤵
- Delays execution with timeout.exe
PID:3044
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1032
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 8402⤵
- Program crash
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD510e24b6c2b14411e6b345a0048156e13
SHA15e32a57c59710ba5496d420ecfc2e3b13a55842b
SHA256b602ff5db34e8448af442b3c5046d6ab4f1417003bfb280b6739660e3d124548
SHA5126a237559b787df49e53d4c66b79fee892350819fd8789688f32693940693bdd1116a9d145dec9642987fe0cc89966b687074d6ad8e4ae5668dd5714183b3b8d8