Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25156626002546058dce1191e0386ab7_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
25156626002546058dce1191e0386ab7_JaffaCakes118.exe
-
Size
387KB
-
MD5
25156626002546058dce1191e0386ab7
-
SHA1
5e612b93d5e29c5a09220749d5f1d8842c01c213
-
SHA256
7c411adaa05fe3f368acca417d15662fd2057df49ae2945fcd4c058d4a826080
-
SHA512
ddeeb1704b3be10254298476aa211b5abc2b3fde6bc64072fdc5f619e72b375cfac74871a713c5bf0734f0a26dcb140690a42dd25c2d6c93db2d861758011b39
-
SSDEEP
12288:eR6S15cdkN/U5onLa/0spyxIuZvUXXWDZAdvFh:nS/Ca/mo+/0ssIdm9AP
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000C42C6B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C42C6B4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1712 043A6A5B00014973000C42C6B4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 1712 043A6A5B00014973000C42C6B4EB2331.exe -
Loads dropped DLL 1 IoCs
pid Process 3016 25156626002546058dce1191e0386ab7_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000C42C6B4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000C42C6B4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000C42C6B4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\runas 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\%s\ = "043A6" 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\ = "Application" 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\DefaultIcon 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\open\command 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\start 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.exe\ = "043A6" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\%s 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6A5B00014973000C42C6B4EB2331\\043A6A5B00014973000C42C6B4EB2331.exe\" -s \"%1\" %*" 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\open 043A6A5B00014973000C42C6B4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\start\command 043A6A5B00014973000C42C6B4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\043A6\shell\runas\command 043A6A5B00014973000C42C6B4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1712 043A6A5B00014973000C42C6B4EB2331.exe 1712 043A6A5B00014973000C42C6B4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3016 wrote to memory of 1712 3016 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 28 PID 3016 wrote to memory of 1712 3016 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 28 PID 3016 wrote to memory of 1712 3016 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 28 PID 3016 wrote to memory of 1712 3016 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 28 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000C42C6B4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25156626002546058dce1191e0386ab7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25156626002546058dce1191e0386ab7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\ProgramData\043A6A5B00014973000C42C6B4EB2331\043A6A5B00014973000C42C6B4EB2331.exe"C:\ProgramData\043A6A5B00014973000C42C6B4EB2331\043A6A5B00014973000C42C6B4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\25156626002546058dce1191e0386ab7_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD5bf83c65f82286257931940179fe735b0
SHA11d9ce8c3af14404ba589d1fdee077830e2726f3f
SHA256975183e5f62f1ce32d552881d5e2eb7ffe41a1d07a76e80099f48d0521a94519
SHA512d63f0917d1e3c03e67cbfc7ca2229afba50a5f4d1aee32d13dc4c3ceb3e99867de93a85ae809d802de0cd24409998c1c6ef2254f710d22cb29fdd0ad6760b7ee
-
Filesize
387KB
MD525156626002546058dce1191e0386ab7
SHA15e612b93d5e29c5a09220749d5f1d8842c01c213
SHA2567c411adaa05fe3f368acca417d15662fd2057df49ae2945fcd4c058d4a826080
SHA512ddeeb1704b3be10254298476aa211b5abc2b3fde6bc64072fdc5f619e72b375cfac74871a713c5bf0734f0a26dcb140690a42dd25c2d6c93db2d861758011b39