304a2a17f482efca5e8a9e59b7e17f0f7cbd3bce77680f72ef079a81eadab70c

General

Target

6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Size

321KB
MD5

6f6df11c0814860cc5a4fe7a9db87cc9
SHA1

539bbcc5ec63af4255a65e20ffb1352338cf41d2
SHA256

304a2a17f482efca5e8a9e59b7e17f0f7cbd3bce77680f72ef079a81eadab70c
SHA512

82bf7779e05bd6a734e51747f8fa8f879853c9869f88ecc0f7bf6bf13aeacdd47e7c506b9dde688c955c1f688f2889f8a8c92d263fcb411ec8663a43fe6ce31c
SSDEEP

6144:Fy9xbRMPI1qIELTUbTvfjstzx6UqUxaUWEN:Fwi

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2212-1-0x00000000011D0000-0x0000000001220000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

description	pid	process	target process
PID 2212 set thread context of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2804 schtasks.exe

pid	process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

pid	process
2320	powershell.exe
2028	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
2028	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
2028	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
2028	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
Token: SeDebugPrivilege	2028	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

description	pid	process	target process
PID 2212 wrote to memory of 2320	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	powershell.exe
PID 2212 wrote to memory of 2320	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	powershell.exe
PID 2212 wrote to memory of 2320	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	powershell.exe
PID 2212 wrote to memory of 2320	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	powershell.exe
PID 2212 wrote to memory of 2804	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	schtasks.exe
PID 2212 wrote to memory of 2804	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	schtasks.exe
PID 2212 wrote to memory of 2804	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	schtasks.exe
PID 2212 wrote to memory of 2804	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	schtasks.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
PID 2212 wrote to memory of 2028	2212	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe	6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6f6df11c0814860cc5a4fe7a9db87cc9_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

2

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2028-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2028-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2212-1-0x00000000011D0000-0x0000000001220000-memory.dmp

Filesize
320KB

Download
memory/2212-0-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/2320-6-0x0000000071340000-0x00000000718EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-7-0x0000000071340000-0x00000000718EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-9-0x0000000071340000-0x00000000718EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-8-0x0000000071340000-0x00000000718EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-5-0x0000000071340000-0x00000000718EB000-memory.dmp

Filesize
5.7MB

Download
memory/2320-4-0x0000000071341000-0x0000000071342000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads