Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 20:17
Behavioral task
behavioral1
Sample
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Resource
win7-20240221-en
12 signatures
150 seconds
General
-
Target
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
-
Size
821KB
-
MD5
731f51dcfb5d968e90f82457084f2849
-
SHA1
0a06d69c986a21f37310b6b0bc4df8b2e66eca3f
-
SHA256
e033486b4c119f41962837b8b84f91c8d86a3bf6d0b9ce8e5221ef18311f6268
-
SHA512
a2d4dd55efe459ca2c6e092b58d4b2511dd504b82dbc8277c2a78ca8b0709b97832926467008abbbb01aae991e1a8297e987a9750a8ac93aca5dfd1abbf78f36
-
SSDEEP
12288:PFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJZYG:d3nbWmJVJFwSddIXvfhqbiaxvRxq9x
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeSecurityPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeSystemtimePrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeBackupPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeRestorePrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeShutdownPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeDebugPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeUndockPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeManageVolumePrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeImpersonatePrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: 33 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: 34 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: 35 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Token: 36 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exepid process 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription pid process target process PID 2752 wrote to memory of 2324 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe iexplore.exe PID 2752 wrote to memory of 2324 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe iexplore.exe PID 2752 wrote to memory of 2324 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe iexplore.exe PID 2752 wrote to memory of 4376 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe explorer.exe PID 2752 wrote to memory of 4376 2752 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe explorer.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" 731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\731f51dcfb5d968e90f82457084f2849_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2752-0-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB
-
memory/2752-1-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/2752-3-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/2752-4-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB
-
memory/2752-6-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB