Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 00:25
Static task
static1
Behavioral task
behavioral1
Sample
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe
-
Size
200KB
-
MD5
1014dce2b5c3c975132f3bd358c95dd4
-
SHA1
27429dae99813524600deaeccddce6eb1210fc02
-
SHA256
a7e33783d4ffac78319724ab63d3a9bad1329bbd1c5e0736248a7fea3bc06b09
-
SHA512
67a387f42d05110930d56dbcb439b9e74a3fec58a71ab75320d9fc9cdf8ec3f3ea9c9e39f12b3d7b32c78e37595a720bc71c90d50e8dfe182ad91affea9b90f4
-
SSDEEP
3072:59Bb3B2WXq85Xi+KxtAEyerA9XNh4K2DG+QCiYUMvvZAgBpJSb79V3Sz8LlYcLcq:59Bb5a2i+xq8Q6y2huM
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2064 netsh.exe -
Processes:
resource yara_rule behavioral2/memory/1460-1-0x00000000021E0000-0x0000000003213000-memory.dmp upx -
Processes:
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exedescription pid process target process PID 1460 wrote to memory of 2064 1460 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe netsh.exe PID 1460 wrote to memory of 2064 1460 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe netsh.exe PID 1460 wrote to memory of 2064 1460 1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1014dce2b5c3c975132f3bd358c95dd4_JaffaCakes118.exe"1⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2064
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1