Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
12/07/2024, 15:38
General
-
Target
3df5a3ded590ad9cf040125ec84dac43_JaffaCakes118.exe
-
Size
76KB
-
MD5
3df5a3ded590ad9cf040125ec84dac43
-
SHA1
6a9caf283a5c0109018333250ab6d937a3012ac9
-
SHA256
a15545627b2c59118d6e8566abb9e9473039ae0e57f807d6ccaf706a7f027ec6
-
SHA512
23ca27afa7ac34db6dae69c6ed617b9ac62f84148fec45548673cc52427c1f585bbb1b2d2cb9fd80c6d36f98cfa99893bac2fb30a57b08267decfa5ce6db83b3
-
SSDEEP
768:jHzDcSmR25QinzxPCAex+L20h01k2BlKvzdP928E/h2I1CdwxpiN:TzD/puinNPCrgJWMeQh
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3df5a3ded590ad9cf040125ec84dac43_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3df5a3ded590ad9cf040125ec84dac43_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\ip.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc.exe config rfwservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet stop rfwservice3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rfwservice4⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config rsccenter start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet stop rsccenter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rsccenter4⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config rfwproxysrv start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet stop rfwproxysrv3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop rfwproxysrv4⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config kpfwsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet stop kpfwsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kpfwsvc4⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc.exe config kissvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet stop kissvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop kissvc4⤵
-
-
-
-
C:\WINDOWS\lsas.exeC:\WINDOWS\lsas.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\WINDOWS\Msinet.ocx"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD5b0668eccfa826a9d5dbee2fe1a066346
SHA1dead93641c680d92779a5534640e26b3cb476e3d
SHA256d4cfbf21c45addbb3d45f4dc0a11798b6a0fd03d196891617c2583df6853821d
SHA512ad7606c15273533382121a5f285e0826d0721c1ad2383df3934f080628800a253240a6f4ad4e15bef70082a1140f072c293d2a6747f36dac15992b24f183d924
-
Filesize
76KB
MD53df5a3ded590ad9cf040125ec84dac43
SHA16a9caf283a5c0109018333250ab6d937a3012ac9
SHA256a15545627b2c59118d6e8566abb9e9473039ae0e57f807d6ccaf706a7f027ec6
SHA51223ca27afa7ac34db6dae69c6ed617b9ac62f84148fec45548673cc52427c1f585bbb1b2d2cb9fd80c6d36f98cfa99893bac2fb30a57b08267decfa5ce6db83b3
-
Filesize
309B
MD596e5ad84ee4fc99164853f0618c2b0c2
SHA1d2ddc324d3276d882a0a00bdbd24dc49b0c8deac
SHA256890e41788ac2a14fd27a75c0a0718f9cb3e3bbe2fae1f7b5730308fd695a9984
SHA512abc60dab5615a89648e736a9cb0a3cc9b4d2f1ef5d8e6b5a412ec8b0492bfb38ad535ebd11ad06dfd402f56ac6468db8012edb09e404dce1a3b4da7f66ab765a