58dd01a3b49d3df61c8ea1b884e7a7aca80712937dffbeaebc6edf697231f9b5

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Size

54KB
MD5

35ce5b9c0ab70d49eb9326ebf0dffed9
SHA1

10ef0c6dc944bfba8d9dddda5bd5af62937d95b4
SHA256

58dd01a3b49d3df61c8ea1b884e7a7aca80712937dffbeaebc6edf697231f9b5
SHA512

99bc00ef26fc57fb86c6ce18c2bded4187e91dea9bda339773b3b7d6019315a1277aafe4b3c9a9b46e17519aa2f93080a8dfa00e08e9e3213b3f448f4a0a0034
SSDEEP

768:79T7DkxBos1wirNyI+wVtTWFSlu7GwKYRnkbFrFeZs81HNQBMpc08i1vlpWxCRzd:VwBoYw+v1tg/fKYRixFeZs806b8GpZZ

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2392	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	SETUP.EXE

Loads dropped DLL 4 IoCs

pid	Process
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2768	SETUP.EXE
2768	SETUP.EXE
2768	SETUP.EXE

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2904	sc.exe
1952	sc.exe
2948	sc.exe
2972	sc.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
2900	taskkill.exe
2872	taskkill.exe
2420	taskkill.exe
2852	taskkill.exe
2952	taskkill.exe
2956	taskkill.exe
676	taskkill.exe
2884	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2160	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2160	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2160	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2160	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	30
PID 2780 wrote to memory of 1716	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	31
PID 2780 wrote to memory of 1716	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	31
PID 2780 wrote to memory of 1716	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	31
PID 2780 wrote to memory of 1716	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2028	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	32
PID 2780 wrote to memory of 2028	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	32
PID 2780 wrote to memory of 2028	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	32
PID 2780 wrote to memory of 2028	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	32
PID 2780 wrote to memory of 1952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	33
PID 2780 wrote to memory of 1952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	33
PID 2780 wrote to memory of 1952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	33
PID 2780 wrote to memory of 1952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	33
PID 2780 wrote to memory of 2420	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	35
PID 2780 wrote to memory of 2420	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	35
PID 2780 wrote to memory of 2420	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	35
PID 2780 wrote to memory of 2420	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	35
PID 2780 wrote to memory of 2852	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	39
PID 2780 wrote to memory of 2852	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	39
PID 2780 wrote to memory of 2852	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	39
PID 2780 wrote to memory of 2852	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	39
PID 2780 wrote to memory of 2948	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	40
PID 2780 wrote to memory of 2948	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	40
PID 2780 wrote to memory of 2948	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	40
PID 2780 wrote to memory of 2948	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	40
PID 2780 wrote to memory of 2952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	41
PID 2780 wrote to memory of 2952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	41
PID 2780 wrote to memory of 2952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	41
PID 2780 wrote to memory of 2952	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	41
PID 2780 wrote to memory of 2956	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	42
PID 2780 wrote to memory of 2956	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	42
PID 2780 wrote to memory of 2956	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	42
PID 2780 wrote to memory of 2956	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	42
PID 2780 wrote to memory of 1888	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	43
PID 2780 wrote to memory of 1888	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	43
PID 2780 wrote to memory of 1888	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	43
PID 2780 wrote to memory of 1888	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	43
PID 2780 wrote to memory of 2820	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	45
PID 2780 wrote to memory of 2820	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	45
PID 2780 wrote to memory of 2820	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	45
PID 2780 wrote to memory of 2820	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	45
PID 2780 wrote to memory of 2920	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	46
PID 2780 wrote to memory of 2920	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	46
PID 2780 wrote to memory of 2920	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	46
PID 2780 wrote to memory of 2920	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	46
PID 2780 wrote to memory of 2904	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	47
PID 2780 wrote to memory of 2904	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	47
PID 2780 wrote to memory of 2904	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	47
PID 2780 wrote to memory of 2904	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	47
PID 2780 wrote to memory of 2884	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	49
PID 2780 wrote to memory of 2884	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	49
PID 2780 wrote to memory of 2884	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	49
PID 2780 wrote to memory of 2884	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	49
PID 2780 wrote to memory of 676	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	50
PID 2780 wrote to memory of 676	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	50
PID 2780 wrote to memory of 676	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	50
PID 2780 wrote to memory of 676	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	50
PID 2780 wrote to memory of 2972	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	52
PID 2780 wrote to memory of 2972	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	52
PID 2780 wrote to memory of 2972	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	52
PID 2780 wrote to memory of 2972	2780	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2176
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2752
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2696
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:1952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:3012
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1804
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2912
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - Deletes itself
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
11KB

MD5
09c035dfbdf04171bc71a995236abb68

SHA1
f80479f5bf04909f517d8a08efb62957eedfcf34

SHA256
b58c462933d5317808d4a69856d9ee8968ff76dacad1ed9dc823d6b4e4bf93c7

SHA512
85c7375b8d591a8de9894419ce122b7f0b2e9e7c36c1aee52bd7eb1cb95558125a3f9ba432b001ccede9f401453905bdd1e9df1e536720e4053315ef98365394

Download Submit