e1d16bcd050157aa1d844f0f2ae4c7f02efb901e254b49b048e09699c04f77a1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe
Size

67KB
MD5

1b641712ef7337e80e9a1aca990fc815
SHA1

99df880d0924181314d80ea03f6dbea39e0e5cad
SHA256

e1d16bcd050157aa1d844f0f2ae4c7f02efb901e254b49b048e09699c04f77a1
SHA512

ffc96de0d6f229e01ede268bb2a76f4f581f0ea1a1a78588099419e3e7be4e8814872c2a867078eec9351b2828025ae23923301eca6d5321343ba7bebfec6618
SSDEEP

1536:gBejSRIZGra0WvKS3MKJ3j5kLaT5AfDWdI:JGIEhSKUZ3VHdAfSdI

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wincfg = "C:\\Windows\\inf\\wincfg.exe"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\wincfg.exe	cmd.exe
File opened for modification	C:\Windows\inf\wincfg.exe	cmd.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2124	2988	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2124	2988	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2124	2988	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	28
PID 2988 wrote to memory of 2124	2988	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	28
PID 2124 wrote to memory of 1312	2124	cmd.exe	30
PID 2124 wrote to memory of 1312	2124	cmd.exe	30
PID 2124 wrote to memory of 1312	2124	cmd.exe	30
PID 2124 wrote to memory of 1312	2124	cmd.exe	30
PID 2124 wrote to memory of 1932	2124	cmd.exe	31
PID 2124 wrote to memory of 1932	2124	cmd.exe	31
PID 2124 wrote to memory of 1932	2124	cmd.exe	31
PID 2124 wrote to memory of 1932	2124	cmd.exe	31
PID 2124 wrote to memory of 1872	2124	cmd.exe	32
PID 2124 wrote to memory of 1872	2124	cmd.exe	32
PID 2124 wrote to memory of 1872	2124	cmd.exe	32
PID 2124 wrote to memory of 1872	2124	cmd.exe	32
PID 2124 wrote to memory of 2068	2124	cmd.exe	33
PID 2124 wrote to memory of 2068	2124	cmd.exe	33
PID 2124 wrote to memory of 2068	2124	cmd.exe	33
PID 2124 wrote to memory of 2068	2124	cmd.exe	33
PID 2124 wrote to memory of 2848	2124	cmd.exe	34
PID 2124 wrote to memory of 2848	2124	cmd.exe	34
PID 2124 wrote to memory of 2848	2124	cmd.exe	34
PID 2124 wrote to memory of 2848	2124	cmd.exe	34
PID 2124 wrote to memory of 2796	2124	cmd.exe	35
PID 2124 wrote to memory of 2796	2124	cmd.exe	35
PID 2124 wrote to memory of 2796	2124	cmd.exe	35
PID 2124 wrote to memory of 2796	2124	cmd.exe	35
PID 2124 wrote to memory of 2616	2124	cmd.exe	36
PID 2124 wrote to memory of 2616	2124	cmd.exe	36
PID 2124 wrote to memory of 2616	2124	cmd.exe	36
PID 2124 wrote to memory of 2616	2124	cmd.exe	36
PID 2124 wrote to memory of 2172	2124	cmd.exe	37
PID 2124 wrote to memory of 2172	2124	cmd.exe	37
PID 2124 wrote to memory of 2172	2124	cmd.exe	37
PID 2124 wrote to memory of 2172	2124	cmd.exe	37
PID 2124 wrote to memory of 3044	2124	cmd.exe	38
PID 2124 wrote to memory of 3044	2124	cmd.exe	38
PID 2124 wrote to memory of 3044	2124	cmd.exe	38
PID 2124 wrote to memory of 3044	2124	cmd.exe	38
PID 2124 wrote to memory of 2864	2124	cmd.exe	39
PID 2124 wrote to memory of 2864	2124	cmd.exe	39
PID 2124 wrote to memory of 2864	2124	cmd.exe	39
PID 2124 wrote to memory of 2864	2124	cmd.exe	39
PID 2124 wrote to memory of 3020	2124	cmd.exe	40
PID 2124 wrote to memory of 3020	2124	cmd.exe	40
PID 2124 wrote to memory of 3020	2124	cmd.exe	40
PID 2124 wrote to memory of 3020	2124	cmd.exe	40
PID 2124 wrote to memory of 2664	2124	cmd.exe	41
PID 2124 wrote to memory of 2664	2124	cmd.exe	41
PID 2124 wrote to memory of 2664	2124	cmd.exe	41
PID 2124 wrote to memory of 2664	2124	cmd.exe	41
PID 2124 wrote to memory of 2672	2124	cmd.exe	42
PID 2124 wrote to memory of 2672	2124	cmd.exe	42
PID 2124 wrote to memory of 2672	2124	cmd.exe	42
PID 2124 wrote to memory of 2672	2124	cmd.exe	42
PID 2124 wrote to memory of 2728	2124	cmd.exe	43
PID 2124 wrote to memory of 2728	2124	cmd.exe	43
PID 2124 wrote to memory of 2728	2124	cmd.exe	43
PID 2124 wrote to memory of 2728	2124	cmd.exe	43
PID 2728 wrote to memory of 2732	2728	net.exe	44
PID 2728 wrote to memory of 2732	2728	net.exe	44
PID 2728 wrote to memory of 2732	2728	net.exe	44
PID 2728 wrote to memory of 2732	2728	net.exe	44

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2696	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a12056.bat "C:\Users\Admin\AppData\Local\Temp\1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v wincfg /t reg_sz /d C:\Windows\inf\wincfg.exe /f
    3⤵
    - Adds Run key to start application
    PID:1312
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t reg_dword /d 00000001 /f
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoActiveDesktop /t reg_dword /d 00000001 /f
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewContextMenu /t reg_dword /d 00000001 /f
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t reg_dword /d 00000001 /f
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t reg_dword /d 00000001 /f
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d 00000001 /f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /f
    3⤵
    - Disables RegEdit via registry modification
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispBackgroundPage /t reg_dword /d 00000001 /f
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispScrSavPage /t reg_dword /d 00000001 /f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispSettingsPage /t reg_dword /d 00000001 /f
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t reg_dword /d 00000000 /f
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t reg_dword /d 00000000 /f
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\net.exe
    net stop "Windows Audio"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Audio"
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s *
    3⤵
    - Views/modifies file attributes
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a12056.bat

Filesize
1KB

MD5
df22fa149e2266df6f4c4f5f259b8f51

SHA1
0419b27fb477effd48327afab6d014028b872261

SHA256
54e4a1b939bacf0b7b1b9b93c5a21a966f855bdf152ce1e6d8eb8ed47739988c

SHA512
3bc1c1654e1aac78384d7862f4fc7c871d5ec4ab6ec0a7ba6459389f312dbf36fc6be6c07f3ae4d1a3bab8cb84d10bce547467a4610cd6831b0ab4e4bde202ab

Download Submit
memory/2988-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads