58dd01a3b49d3df61c8ea1b884e7a7aca80712937dffbeaebc6edf697231f9b5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Size

54KB
MD5

35ce5b9c0ab70d49eb9326ebf0dffed9
SHA1

10ef0c6dc944bfba8d9dddda5bd5af62937d95b4
SHA256

58dd01a3b49d3df61c8ea1b884e7a7aca80712937dffbeaebc6edf697231f9b5
SHA512

99bc00ef26fc57fb86c6ce18c2bded4187e91dea9bda339773b3b7d6019315a1277aafe4b3c9a9b46e17519aa2f93080a8dfa00e08e9e3213b3f448f4a0a0034
SSDEEP

768:79T7DkxBos1wirNyI+wVtTWFSlu7GwKYRnkbFrFeZs81HNQBMpc08i1vlpWxCRzd:VwBoYw+v1tg/fKYRixFeZs806b8GpZZ

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
3848	SETUP.EXE

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2144	sc.exe
2404	sc.exe
1040	sc.exe
2536	sc.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4144	taskkill.exe
5056	taskkill.exe
5096	taskkill.exe
2956	taskkill.exe
988	taskkill.exe
3244	taskkill.exe
4084	taskkill.exe
4412	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2888	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	83
PID 3180 wrote to memory of 2888	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	83
PID 3180 wrote to memory of 2888	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	83
PID 3180 wrote to memory of 2392	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	84
PID 3180 wrote to memory of 2392	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	84
PID 3180 wrote to memory of 2392	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	84
PID 3180 wrote to memory of 2176	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	85
PID 3180 wrote to memory of 2176	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	85
PID 3180 wrote to memory of 2176	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	85
PID 3180 wrote to memory of 2144	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	86
PID 3180 wrote to memory of 2144	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	86
PID 3180 wrote to memory of 2144	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	86
PID 3180 wrote to memory of 4084	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	88
PID 3180 wrote to memory of 4084	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	88
PID 3180 wrote to memory of 4084	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	88
PID 3180 wrote to memory of 3244	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	89
PID 3180 wrote to memory of 3244	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	89
PID 3180 wrote to memory of 3244	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	89
PID 3180 wrote to memory of 2536	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	90
PID 3180 wrote to memory of 2536	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	90
PID 3180 wrote to memory of 2536	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	90
PID 3180 wrote to memory of 988	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	91
PID 3180 wrote to memory of 988	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	91
PID 3180 wrote to memory of 988	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	91
PID 3180 wrote to memory of 4412	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	92
PID 3180 wrote to memory of 4412	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	92
PID 3180 wrote to memory of 4412	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	92
PID 3180 wrote to memory of 4040	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	93
PID 3180 wrote to memory of 4040	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	93
PID 3180 wrote to memory of 4040	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	93
PID 3180 wrote to memory of 3468	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	94
PID 3180 wrote to memory of 3468	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	94
PID 3180 wrote to memory of 3468	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	94
PID 3180 wrote to memory of 3720	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	95
PID 3180 wrote to memory of 3720	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	95
PID 3180 wrote to memory of 3720	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	95
PID 3180 wrote to memory of 2404	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	96
PID 3180 wrote to memory of 2404	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	96
PID 3180 wrote to memory of 2404	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	96
PID 3180 wrote to memory of 4144	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	97
PID 3180 wrote to memory of 4144	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	97
PID 3180 wrote to memory of 4144	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	97
PID 3180 wrote to memory of 2956	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	106
PID 3180 wrote to memory of 2956	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	106
PID 3180 wrote to memory of 2956	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	106
PID 3180 wrote to memory of 1040	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	107
PID 3180 wrote to memory of 1040	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	107
PID 3180 wrote to memory of 1040	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	107
PID 3180 wrote to memory of 5096	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	109
PID 3180 wrote to memory of 5096	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	109
PID 3180 wrote to memory of 5096	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	109
PID 3180 wrote to memory of 5056	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	110
PID 3180 wrote to memory of 5056	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	110
PID 3180 wrote to memory of 5056	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	110
PID 3180 wrote to memory of 3848	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	119
PID 3180 wrote to memory of 3848	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	119
PID 3180 wrote to memory of 3848	3180	35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe	119
PID 4040 wrote to memory of 556	4040	net.exe	120
PID 4040 wrote to memory of 556	4040	net.exe	120
PID 4040 wrote to memory of 556	4040	net.exe	120
PID 2392 wrote to memory of 3676	2392	net.exe	121
PID 2392 wrote to memory of 3676	2392	net.exe	121
PID 2392 wrote to memory of 3676	2392	net.exe	121
PID 2888 wrote to memory of 1136	2888	net.exe	122

C:\Users\Admin\AppData\Local\Temp\35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35ce5b9c0ab70d49eb9326ebf0dffed9_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1136
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:3676
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:4292
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:2536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:556
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1488
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:1428
- C:\Windows\SysWOW64\sc.exe
  sc config NOD32krn start= disabled
  2⤵
  - Launches sc.exe
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32krn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im nod32kui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\sc.exe
  sc config ekrn start= disabled
  2⤵
  - Launches sc.exe
  PID:1040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im ekrn.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im egui.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
11KB

MD5
09c035dfbdf04171bc71a995236abb68

SHA1
f80479f5bf04909f517d8a08efb62957eedfcf34

SHA256
b58c462933d5317808d4a69856d9ee8968ff76dacad1ed9dc823d6b4e4bf93c7

SHA512
85c7375b8d591a8de9894419ce122b7f0b2e9e7c36c1aee52bd7eb1cb95558125a3f9ba432b001ccede9f401453905bdd1e9df1e536720e4053315ef98365394

Download Submit