Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 06:35
Static task
static1
Behavioral task
behavioral1
Sample
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe
-
Size
454KB
-
MD5
749ca850ede36a942a2ff2984313299f
-
SHA1
b1d42108b09427c61e846b8f4f819cfe78f922a6
-
SHA256
1a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b
-
SHA512
5092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea
-
SSDEEP
6144:2W7UQ+lpxgdm6zNc2aDiUkMwxxnwy29CNbc0kPF7c5RZs:Ygdm6zNfFxxnwdv4Zs
Malware Config
Extracted
phorphiex
http://185.176.27.132/
http://urusurofhsorhfuuhr.su/
http://aeifaeifhutuhuhusr.su/
http://rzhsudhugugfugugsr.su/
http://bfagzzezgaegzgfair.su/
http://eaeuafhuaegfugeudr.su/
http://aeufuaehfiuehfuhfr.su/
http://daedagheauehfuuhfr.su/
http://aeoughaoheguaoehdr.su/
http://eguaheoghouughahsr.su/
http://huaeokaefoaeguaehr.su/
http://afaeigaifgsgrhhafr.su/
http://afaigaeigieufuifir.su/
http://geauhouefheuutiiir.su/
http://gaoheeuofhefefhutr.su/
http://gaouehaehfoaeajrsr.su/
http://gaohrhurhuhruhfsdr.su/
http://gaghpaheiafhjefijr.su/
http://gaoehuoaoefhuhfugr.su/
http://aegohaohuoruitiier.su/
http://befaheaiudeuhughgr.su/
http://urusurofhsorhfuuhz.io/
http://aeifaeifhutuhuhusz.io/
http://rzhsudhugugfugugsz.io/
13cQ2H6oszrEnvw1ZGdsPix9gUayB8tzNa
qr5pm4d27z250wpz4sfy08ytghxn56kryvsw5tdw99
XfrM8P9YWSg8mQTxSCCxyHUeQjMEGx8vnE
DSG5PddW9wu1eKdLcx4f3KBF4wUvaBFaGc
0x373b9854c9e4511b920372f5495640cdc25d6832
LSermtCTLWeS683x17AtYuhNT8MpMmVmi8
t1XgRHyGj6YDNqkS5EWwdcXG1rjQPFFdUsR
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Signatures
-
Processes:
syssmiz.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" syssmiz.exe -
Phorphiex payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1508-2-0x0000000000450000-0x000000000045E000-memory.dmp family_phorphiex behavioral1/memory/1508-4-0x0000000000450000-0x000000000045E000-memory.dmp family_phorphiex behavioral1/memory/2324-15-0x0000000000370000-0x000000000037E000-memory.dmp family_phorphiex behavioral1/memory/2324-17-0x0000000000370000-0x000000000037E000-memory.dmp family_phorphiex behavioral1/memory/2324-21-0x0000000000370000-0x000000000037E000-memory.dmp family_phorphiex -
Processes:
syssmiz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syssmiz.exe -
Executes dropped EXE 1 IoCs
Processes:
syssmiz.exepid process 2324 syssmiz.exe -
Loads dropped DLL 1 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exepid process 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe -
Processes:
syssmiz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" syssmiz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" syssmiz.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\697916288\\syssmiz.exe" 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\697916288\\syssmiz.exe" 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exedescription ioc process File created C:\Windows\697916288\syssmiz.exe 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe File opened for modification C:\Windows\697916288\syssmiz.exe 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe File opened for modification C:\Windows\697916288 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exesyssmiz.exepid process 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe 2324 syssmiz.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exesyssmiz.exedescription pid process Token: SeDebugPrivilege 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe Token: SeDebugPrivilege 2324 syssmiz.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exesyssmiz.exepid process 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe 2324 syssmiz.exe 2324 syssmiz.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
749ca850ede36a942a2ff2984313299f_JaffaCakes118.exedescription pid process target process PID 1508 wrote to memory of 2324 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe syssmiz.exe PID 1508 wrote to memory of 2324 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe syssmiz.exe PID 1508 wrote to memory of 2324 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe syssmiz.exe PID 1508 wrote to memory of 2324 1508 749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe syssmiz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\749ca850ede36a942a2ff2984313299f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\697916288\syssmiz.exeC:\Windows\697916288\syssmiz.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\697916288\syssmiz.exeFilesize
454KB
MD5749ca850ede36a942a2ff2984313299f
SHA1b1d42108b09427c61e846b8f4f819cfe78f922a6
SHA2561a7d054abcd9570fa89ab81ed211b37bc59b513a13d5f8db900392a988e5043b
SHA5125092010bf481b619d53ee20d4be12f5383429aeaec6e8991eb6ccaecdbb25bdf7d729d044d4d39227888230689877829dd8406c4c8f5154fdac7bd48f78063ea
-
memory/1508-0-0x00000000011E0000-0x0000000001258000-memory.dmpFilesize
480KB
-
memory/1508-1-0x0000000001222000-0x0000000001229000-memory.dmpFilesize
28KB
-
memory/1508-2-0x0000000000450000-0x000000000045E000-memory.dmpFilesize
56KB
-
memory/1508-4-0x0000000000450000-0x000000000045E000-memory.dmpFilesize
56KB
-
memory/1508-14-0x0000000001222000-0x0000000001229000-memory.dmpFilesize
28KB
-
memory/2324-12-0x0000000000F20000-0x0000000000F98000-memory.dmpFilesize
480KB
-
memory/2324-15-0x0000000000370000-0x000000000037E000-memory.dmpFilesize
56KB
-
memory/2324-17-0x0000000000370000-0x000000000037E000-memory.dmpFilesize
56KB
-
memory/2324-21-0x0000000000370000-0x000000000037E000-memory.dmpFilesize
56KB