Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 21:02
Static task
static1
Behavioral task
behavioral1
Sample
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe
-
Size
155KB
-
MD5
0f83fe4211a3c4fbe59818fa9c8a3508
-
SHA1
b471f1015bd938f20fdaf75086dc1ec59def0e4a
-
SHA256
c823551b597cfac3ebdbe69c196555335b32d42cf3838907eff8f565eac60741
-
SHA512
5565c063274e23416f5c1ec5505619ca8f24346f68a50669af785dfe8bfc1bb436b879689708392b549d392e26c2a681ef95bb9fd34c2fef04023f0148ccfe07
-
SSDEEP
3072:Y5dnu0W5ZyYi+KpM6TWyrtGGF4Mzbu4gCMj+gFc4XldY:QnxIZhKp1RF5y02HdY
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe -
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3360 netsh.exe -
Processes:
resource yara_rule behavioral2/memory/2588-0-0x00000000009E0000-0x0000000001A13000-memory.dmp upx behavioral2/memory/2588-5-0x00000000009E0000-0x0000000001A13000-memory.dmp upx -
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe -
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription pid process target process PID 2588 wrote to memory of 3360 2588 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe netsh.exe PID 2588 wrote to memory of 3360 2588 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe netsh.exe PID 2588 wrote to memory of 3360 2588 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe netsh.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f83fe4211a3c4fbe59818fa9c8a3508_JaffaCakes118.exe"1⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2588 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:81⤵PID:4856
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1