b0d66ec3fc90433d7cf3d220145573b6d2f5222a6fa6c86df879bb9cf5523a4b

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe
Size

584KB
MD5

17e6591d1c4f909dcb60b29ee4bef2e6
SHA1

acbac458911faf6922b2a0a0a68d3941d1076687
SHA256

b0d66ec3fc90433d7cf3d220145573b6d2f5222a6fa6c86df879bb9cf5523a4b
SHA512

0c6428703656e794028f2f48215795a5aca5ab3adc30645b502dae518b5253220126e8c3b163cdcd8c2b1713c03a4671fb299f6e89f4be85ccc7da83e2cf0ba8
SSDEEP

12288:7hm6OFtBbaxN/cGVJsNkas85tPRCBFea41OPob9ZiM0jfy0tL:7UvPBbaptP

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2792	reg.exe
2276	reg.exe
2496	reg.exe
2620	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3024	csc.exe
Token: SeCreateTokenPrivilege	3024	csc.exe
Token: SeAssignPrimaryTokenPrivilege	3024	csc.exe
Token: SeLockMemoryPrivilege	3024	csc.exe
Token: SeIncreaseQuotaPrivilege	3024	csc.exe
Token: SeMachineAccountPrivilege	3024	csc.exe
Token: SeTcbPrivilege	3024	csc.exe
Token: SeSecurityPrivilege	3024	csc.exe
Token: SeTakeOwnershipPrivilege	3024	csc.exe
Token: SeLoadDriverPrivilege	3024	csc.exe
Token: SeSystemProfilePrivilege	3024	csc.exe
Token: SeSystemtimePrivilege	3024	csc.exe
Token: SeProfSingleProcessPrivilege	3024	csc.exe
Token: SeIncBasePriorityPrivilege	3024	csc.exe
Token: SeCreatePagefilePrivilege	3024	csc.exe
Token: SeCreatePermanentPrivilege	3024	csc.exe
Token: SeBackupPrivilege	3024	csc.exe
Token: SeRestorePrivilege	3024	csc.exe
Token: SeShutdownPrivilege	3024	csc.exe
Token: SeDebugPrivilege	3024	csc.exe
Token: SeAuditPrivilege	3024	csc.exe
Token: SeSystemEnvironmentPrivilege	3024	csc.exe
Token: SeChangeNotifyPrivilege	3024	csc.exe
Token: SeRemoteShutdownPrivilege	3024	csc.exe
Token: SeUndockPrivilege	3024	csc.exe
Token: SeSyncAgentPrivilege	3024	csc.exe
Token: SeEnableDelegationPrivilege	3024	csc.exe
Token: SeManageVolumePrivilege	3024	csc.exe
Token: SeImpersonatePrivilege	3024	csc.exe
Token: SeCreateGlobalPrivilege	3024	csc.exe
Token: 31	3024	csc.exe
Token: 32	3024	csc.exe
Token: 33	3024	csc.exe
Token: 34	3024	csc.exe
Token: 35	3024	csc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3024	csc.exe
3024	csc.exe
3024	csc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 2932 wrote to memory of 3024	2932	17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe	28
PID 3024 wrote to memory of 2824	3024	csc.exe	29
PID 3024 wrote to memory of 2824	3024	csc.exe	29
PID 3024 wrote to memory of 2824	3024	csc.exe	29
PID 3024 wrote to memory of 2824	3024	csc.exe	29
PID 3024 wrote to memory of 2600	3024	csc.exe	30
PID 3024 wrote to memory of 2600	3024	csc.exe	30
PID 3024 wrote to memory of 2600	3024	csc.exe	30
PID 3024 wrote to memory of 2600	3024	csc.exe	30
PID 3024 wrote to memory of 2648	3024	csc.exe	32
PID 3024 wrote to memory of 2648	3024	csc.exe	32
PID 3024 wrote to memory of 2648	3024	csc.exe	32
PID 3024 wrote to memory of 2648	3024	csc.exe	32
PID 3024 wrote to memory of 2660	3024	csc.exe	33
PID 3024 wrote to memory of 2660	3024	csc.exe	33
PID 3024 wrote to memory of 2660	3024	csc.exe	33
PID 3024 wrote to memory of 2660	3024	csc.exe	33
PID 2648 wrote to memory of 2792	2648	cmd.exe	40
PID 2648 wrote to memory of 2792	2648	cmd.exe	40
PID 2648 wrote to memory of 2792	2648	cmd.exe	40
PID 2648 wrote to memory of 2792	2648	cmd.exe	40
PID 2824 wrote to memory of 2276	2824	cmd.exe	39
PID 2824 wrote to memory of 2276	2824	cmd.exe	39
PID 2824 wrote to memory of 2276	2824	cmd.exe	39
PID 2824 wrote to memory of 2276	2824	cmd.exe	39
PID 2660 wrote to memory of 2496	2660	cmd.exe	38
PID 2660 wrote to memory of 2496	2660	cmd.exe	38
PID 2660 wrote to memory of 2496	2660	cmd.exe	38
PID 2660 wrote to memory of 2496	2660	cmd.exe	38
PID 2600 wrote to memory of 2620	2600	cmd.exe	37
PID 2600 wrote to memory of 2620	2600	cmd.exe	37
PID 2600 wrote to memory of 2620	2600	cmd.exe	37
PID 2600 wrote to memory of 2620	2600	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17e6591d1c4f909dcb60b29ee4bef2e6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2932-17-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2932-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/3024-20-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-24-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-7-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-5-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-10-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-21-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-29-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-31-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-32-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3024-35-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads