f8e2445d5187846a19b9138cf18a51cc2b8d590d95af57ee57bbaa68cbe8fe39

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe
Size

362KB
MD5

76af348518fffd3b633694751d5e6e90
SHA1

880e2d4f647bee68d8edd2a2b649be480e5a1c9a
SHA256

f8e2445d5187846a19b9138cf18a51cc2b8d590d95af57ee57bbaa68cbe8fe39
SHA512

c837e7e7c45e10ddb0ca5fe6bd177b9fbea8b31ece840b3ba638fe20b5a07d57db3bce73ebdbcfa8b7b42938984c5d3e916a481f120780ba7fab3d3b2ce47bd0
SSDEEP

6144:FraWkc+CrdYzNJdL38Lv1E0/Vxu1g+a/ko/+ymQVtWphD+iLiZqY+BUoEBEjMcWw:VaWh+uSzNJ21Fu1gFZIQVspzBpBUo/j9

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Run.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Run.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	Run.exe

Executes dropped EXE 12 IoCs

pid	Process
4236	Run.exe
2716	rssvnc.exe
720	rssvnc.exe
4032	rssvnc.exe
4648	rssvnc.exe
1336	rssvnc.exe
2116	rssvnc.exe
952	rssvnc.exe
1780	rssvnc.exe
1448	rssvnc.exe
2320	rssvnc.exe
844	rssvnc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Run.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Run.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	Run.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe
4236	Run.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4236	Run.exe
4236	Run.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4236	2280	76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe	83
PID 2280 wrote to memory of 4236	2280	76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe	83
PID 2280 wrote to memory of 4236	2280	76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe	83
PID 4236 wrote to memory of 2716	4236	Run.exe	87
PID 4236 wrote to memory of 2716	4236	Run.exe	87
PID 4236 wrote to memory of 2716	4236	Run.exe	87
PID 4236 wrote to memory of 720	4236	Run.exe	98
PID 4236 wrote to memory of 720	4236	Run.exe	98
PID 4236 wrote to memory of 720	4236	Run.exe	98
PID 4236 wrote to memory of 4032	4236	Run.exe	99
PID 4236 wrote to memory of 4032	4236	Run.exe	99
PID 4236 wrote to memory of 4032	4236	Run.exe	99
PID 4236 wrote to memory of 4648	4236	Run.exe	102
PID 4236 wrote to memory of 4648	4236	Run.exe	102
PID 4236 wrote to memory of 4648	4236	Run.exe	102
PID 4236 wrote to memory of 1336	4236	Run.exe	103
PID 4236 wrote to memory of 1336	4236	Run.exe	103
PID 4236 wrote to memory of 1336	4236	Run.exe	103
PID 4236 wrote to memory of 2116	4236	Run.exe	104
PID 4236 wrote to memory of 2116	4236	Run.exe	104
PID 4236 wrote to memory of 2116	4236	Run.exe	104
PID 4236 wrote to memory of 952	4236	Run.exe	106
PID 4236 wrote to memory of 952	4236	Run.exe	106
PID 4236 wrote to memory of 952	4236	Run.exe	106
PID 4236 wrote to memory of 1780	4236	Run.exe	107
PID 4236 wrote to memory of 1780	4236	Run.exe	107
PID 4236 wrote to memory of 1780	4236	Run.exe	107
PID 4236 wrote to memory of 1448	4236	Run.exe	114
PID 4236 wrote to memory of 1448	4236	Run.exe	114
PID 4236 wrote to memory of 1448	4236	Run.exe	114
PID 4236 wrote to memory of 2320	4236	Run.exe	115
PID 4236 wrote to memory of 2320	4236	Run.exe	115
PID 4236 wrote to memory of 2320	4236	Run.exe	115
PID 4236 wrote to memory of 844	4236	Run.exe	116
PID 4236 wrote to memory of 844	4236	Run.exe	116
PID 4236 wrote to memory of 844	4236	Run.exe	116

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	Run.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Run.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Run.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Run.exe

C:\Users\Admin\AppData\Local\Temp\76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76af348518fffd3b633694751d5e6e90_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\Run.exe
  .\Run.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Sets desktop wallpaper using registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:720
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:4648
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe
    rssvnc.exe
    3⤵
    - Executes dropped EXE
    PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\Invoice.htm

Filesize
6KB

MD5
905bcafd0c52d766fe5f07d83b5a4416

SHA1
cb8eb19195aec0fed9cbc7f1965953bb363bba23

SHA256
db30315388ecb39492d09a0e2447a2dbccc902532f284f9a25f3c95e092af1b1

SHA512
6f861d5e045ad192853468ccea0dfcf2292483a269776e22b38b333089a09a6ecf85843cc5aeff543c5d3acf318be32a05c1de533200a4e3b0f6690d079d2027

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\Run.exe

Filesize
460KB

MD5
9149fc4df0437b1b452f6e80d528195f

SHA1
ead677fbd3f0ce27ad2b44ee945bda060ef6419f

SHA256
4e2fbd480e19e7411684eb0fb82bf9f766602a5e9ba696c50c4d1471d9a1187e

SHA512
24c7888510f2a1fe6905ca1bc71b81132dade8981d595c4e4e26a81f4a0858d776fd0d8b008e60e4e6343192bde53e59e5e832f351fa540fb87abaae83cb1704

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\helpdesk.txt

Filesize
569B

MD5
d3eff0be4491f6328b3ce63638e7f8b9

SHA1
ba1e42d54e47d3961f5dbc52a7a616a7d03e36af

SHA256
39fa64b6ba5dc2054bc669dbd19057927fc7cd039d076ecc2487624484639ed7

SHA512
f9e484faa4dd451ace067f5b36f1ae9376fae1e6220b744ea96c8799b56aa620a4ef054ba27adca3b3490ea855f2390fc771502d0ba468c129e74abe3a5de118

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\logo.bmp

Filesize
23KB

MD5
f2c4fc28372ca1c4fa4b527ef2b396d8

SHA1
6adde5d8869c505f04bc1b1a6650e3a8f9f18065

SHA256
c94576cdcc4015ad0436add6970ba0313187c2c5a0ddb6ef18a73af68ae7e3c4

SHA512
6ce1c3e11281764c77710e0533909d0860430194114f82bdc68ca474fa780f437579d21cc8863aedda6a24ea69622c6badc2d58ee244979ea4fa5706f070904e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\logo.gif

Filesize
807B

MD5
983d88150a2f22337facfdde79c34a34

SHA1
2fbf5d1c0b9f7a0ffead8a440d2b07c9efb8270a

SHA256
d177fcf781f78f722b0f5f59056affa6f9db376e9fe22167fc41efeedacb70e9

SHA512
7db2448c0bb0b931eca4de7de29f0894432597b2bdfc65409c345c8e9a158fa9951ff84ab574ec3712602d218591f50c0942da6f5dbf682081f9b3d8066e8781

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\rssvnc.exe

Filesize
241KB

MD5
0f6c7e390b1b3ba06792585e96a0e81c

SHA1
874cb4bba2cbfa263eba79d695bc2fc421562e3a

SHA256
70cae2dc05434905dcec4995a16e504a8552bcdf836f3b0f47c201e7c6f2db2e

SHA512
6767a1b7798ef13c8f41c6a4805dc950f53b0a73c321b3a3b59c38693232f660eafdc21b08c0ae472b17ee9639cc55d863592586f0a4deb51106b111ec3c1ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6428.tmp\settings.dat

Filesize
2KB

MD5
9053991894eb4495eae052771e20b2b0

SHA1
291fb1256d9df4767f1d209b1ef2f528b4ef98c4

SHA256
3eaad270eae612eb953494af2e20e8531f22878a44cdbea4ee579ab1dc956863

SHA512
653275e4dd860df1494f25a0c5fb37a2cb0637161172b838168fb5c249a5a3aa5ae925577a44d1650ea956022524b593fb17dd962c03280dac6cfd21ab3e207e

Download Submit