Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
08/07/2024, 17:32
General
-
Target
2d37c7a4646efa79967339e435ef2f8b_JaffaCakes118.exe
-
Size
219KB
-
MD5
2d37c7a4646efa79967339e435ef2f8b
-
SHA1
44b8c1f35dfeac84e6a664259908c5c4282e2db1
-
SHA256
330f36e14dc51c710ce266d0a18e15e8f12cd078e3f95bdbbe4925ce0572de2d
-
SHA512
6a6fa325f48b47590c3c483a85d136eb2177c988b9ae71d503f71f8e67bd9a0942b3a16b65dadb0d88016c4cc2cd4288f935dae0d97298125cd0a7ec082e7a3f
-
SSDEEP
6144:HOwEvHbqltXFv9IUh3nhGdbNDdT8sbDc8RShZ:uwdlNz3JhGVNDdT8jhZ
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d37c7a4646efa79967339e435ef2f8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d37c7a4646efa79967339e435ef2f8b_JaffaCakes118.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "smss" /t reg_sz /d "C:\Users\Admin\smss.exe" /f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "smss" /t reg_sz /d "C:\Users\Admin\smss.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d "0" /f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d "0" /f3⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "netsh firewall set opmode disable"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Users\Admin\smss.exe"C:\Users\Admin\smss.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
8KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB