7c3006d165399ba2cc500f9f431cdc7823ad534a85d83bdfd4177a5d2bf5abec

General

Target

76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
Size

231KB
MD5

76b39b832f47393a0827203fbb459c33
SHA1

c4475e36552022397cf89cc9ff5b10620666ae51
SHA256

7c3006d165399ba2cc500f9f431cdc7823ad534a85d83bdfd4177a5d2bf5abec
SHA512

472577a554a7b927231f28b42b2878962d4202def3b088ce3b8d5569eeb5d9856f84cffb841861c45080507a421993014d4b884dac07cfb463dce84aad119d01
SSDEEP

6144:PC3+i8c0XmyT8cW1peyieABxnP6IIEaLKTCf:a3yXmyA5OyieAPPm5KTCf

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2916	powershell.exe
2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2916	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2916	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2916	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2916	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2756	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2756	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2756	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2756	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	32
PID 2044 wrote to memory of 1584	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	34
PID 2044 wrote to memory of 1584	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	34
PID 2044 wrote to memory of 1584	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	34
PID 2044 wrote to memory of 1584	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	34
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35
PID 2044 wrote to memory of 2792	2044	76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\prJRIQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CB4.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe"
  2⤵
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\76b39b832f47393a0827203fbb459c33_JaffaCakes118.exe"
  2⤵
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1CB4.tmp

Filesize
1KB

MD5
423e9f6799c083a1c88e4caa57bb3bfa

SHA1
df86f3ae6f858adf1d71cfe6d69d70d8684f31cd

SHA256
8688a6172b55817b80ca4906a6857deef1ff8e570706c083aa0ec615633cd719

SHA512
d8ffc843a5a37e2446a2b3c6ef5cda26486a828597e1795a9f5487d447db1b536336e85b2db14bc71719dbd79486a2a138a88e2f2cd180e603cb5e4efd3610ce

Download Submit
memory/2044-1-0x0000000001290000-0x00000000012D0000-memory.dmp

Filesize
256KB

Download
memory/2044-2-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-3-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2044-4-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/2044-5-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-6-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/2044-7-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2044-33-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/2792-31-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2792-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-11-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-13-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-12-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-15-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-14-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-10-0x000000006F8E1000-0x000000006F8E2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads