Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 07:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25156626002546058dce1191e0386ab7_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
25156626002546058dce1191e0386ab7_JaffaCakes118.exe
-
Size
387KB
-
MD5
25156626002546058dce1191e0386ab7
-
SHA1
5e612b93d5e29c5a09220749d5f1d8842c01c213
-
SHA256
7c411adaa05fe3f368acca417d15662fd2057df49ae2945fcd4c058d4a826080
-
SHA512
ddeeb1704b3be10254298476aa211b5abc2b3fde6bc64072fdc5f619e72b375cfac74871a713c5bf0734f0a26dcb140690a42dd25c2d6c93db2d861758011b39
-
SSDEEP
12288:eR6S15cdkN/U5onLa/0spyxIuZvUXXWDZAdvFh:nS/Ca/mo+/0ssIdm9AP
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000BE16A6C2A6DDB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 836 043A6A5B00014973000BE16A6C2A6DDB.exe -
Executes dropped EXE 1 IoCs
pid Process 836 043A6A5B00014973000BE16A6C2A6DDB.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\svc 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Security Center\svc 043A6A5B00014973000BE16A6C2A6DDB.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000BE16A6C2A6DDB.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\DefaultIcon 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\DefaultIcon\ = "%1" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6A5B00014973000BE16A6C2A6DDB\\043A6A5B00014973000BE16A6C2A6DDB.exe\" -s \"%1\" %*" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\start\command 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\%s\ = "043A6" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\Content Type = "application/x-msdownload" 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\open\command 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\runas\command 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\runas 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\runas\command\ = "\"%1\" %*" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.exe\ = "043A6" 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\ = "Application" 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\open 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\.exe 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\%s 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell 043A6A5B00014973000BE16A6C2A6DDB.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\start 043A6A5B00014973000BE16A6C2A6DDB.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\043A6\shell\start\command\ = "\"%1\" %*" 043A6A5B00014973000BE16A6C2A6DDB.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 888 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 888 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 836 043A6A5B00014973000BE16A6C2A6DDB.exe 836 043A6A5B00014973000BE16A6C2A6DDB.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 888 wrote to memory of 836 888 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 86 PID 888 wrote to memory of 836 888 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 86 PID 888 wrote to memory of 836 888 25156626002546058dce1191e0386ab7_JaffaCakes118.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6A5B00014973000BE16A6C2A6DDB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25156626002546058dce1191e0386ab7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25156626002546058dce1191e0386ab7_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888 -
C:\ProgramData\043A6A5B00014973000BE16A6C2A6DDB\043A6A5B00014973000BE16A6C2A6DDB.exe"C:\ProgramData\043A6A5B00014973000BE16A6C2A6DDB\043A6A5B00014973000BE16A6C2A6DDB.exe" -d "C:\Users\Admin\AppData\Local\Temp\25156626002546058dce1191e0386ab7_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD541207ed600fe38535e6400e9dc79052d
SHA15363315e72d60812eb474d2dcbf7b4404c19bc00
SHA25612d7f351ad1e6da6b1d1c78640f0bba00f3b36a5bea37e45fc382a5a39c9d91a
SHA5128f1e8c5e57aa2089a5a95a90c0d4134c8323398cbe918953679761e19e6a04c0099d40f8b10e6aca7b634403f023e1ee49e848fe1c4052c13a939753c07a93fa
-
Filesize
387KB
MD525156626002546058dce1191e0386ab7
SHA15e612b93d5e29c5a09220749d5f1d8842c01c213
SHA2567c411adaa05fe3f368acca417d15662fd2057df49ae2945fcd4c058d4a826080
SHA512ddeeb1704b3be10254298476aa211b5abc2b3fde6bc64072fdc5f619e72b375cfac74871a713c5bf0734f0a26dcb140690a42dd25c2d6c93db2d861758011b39