7a603af9b95e719026d8b7090a47a2744e4a7d7316e6399764203ff912a246f0

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe
Size

385KB
MD5

4753a64283a684c9f060e16b34677eef
SHA1

66f06a7b8f3bce82cb03766730d3de762d4d2f62
SHA256

7a603af9b95e719026d8b7090a47a2744e4a7d7316e6399764203ff912a246f0
SHA512

8edf68a34aaedb1ff438681687fc6ff3cafc19b4037b765405754ed72f885e650c5cdf63e41f05c3137791b8517732ab4065fb0dec381236b07c5115fb2fbb11
SSDEEP

6144:28+ENWJSFMCfGITPVWu7yh+iydXRxB+1tkpoz5JdoR:KKX0ITPVxyh+pVRL9pydc

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\P2EPBO7DDM.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\P2EPBO7DDM.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4684	reg.exe
1712	reg.exe
2012	reg.exe
2236	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3064	vbc.exe
Token: SeCreateTokenPrivilege	3064	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3064	vbc.exe
Token: SeLockMemoryPrivilege	3064	vbc.exe
Token: SeIncreaseQuotaPrivilege	3064	vbc.exe
Token: SeMachineAccountPrivilege	3064	vbc.exe
Token: SeTcbPrivilege	3064	vbc.exe
Token: SeSecurityPrivilege	3064	vbc.exe
Token: SeTakeOwnershipPrivilege	3064	vbc.exe
Token: SeLoadDriverPrivilege	3064	vbc.exe
Token: SeSystemProfilePrivilege	3064	vbc.exe
Token: SeSystemtimePrivilege	3064	vbc.exe
Token: SeProfSingleProcessPrivilege	3064	vbc.exe
Token: SeIncBasePriorityPrivilege	3064	vbc.exe
Token: SeCreatePagefilePrivilege	3064	vbc.exe
Token: SeCreatePermanentPrivilege	3064	vbc.exe
Token: SeBackupPrivilege	3064	vbc.exe
Token: SeRestorePrivilege	3064	vbc.exe
Token: SeShutdownPrivilege	3064	vbc.exe
Token: SeDebugPrivilege	3064	vbc.exe
Token: SeAuditPrivilege	3064	vbc.exe
Token: SeSystemEnvironmentPrivilege	3064	vbc.exe
Token: SeChangeNotifyPrivilege	3064	vbc.exe
Token: SeRemoteShutdownPrivilege	3064	vbc.exe
Token: SeUndockPrivilege	3064	vbc.exe
Token: SeSyncAgentPrivilege	3064	vbc.exe
Token: SeEnableDelegationPrivilege	3064	vbc.exe
Token: SeManageVolumePrivilege	3064	vbc.exe
Token: SeImpersonatePrivilege	3064	vbc.exe
Token: SeCreateGlobalPrivilege	3064	vbc.exe
Token: 31	3064	vbc.exe
Token: 32	3064	vbc.exe
Token: 33	3064	vbc.exe
Token: 34	3064	vbc.exe
Token: 35	3064	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	vbc.exe
3064	vbc.exe
3064	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3020 wrote to memory of 3064	3020	4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe	85
PID 3064 wrote to memory of 2536	3064	vbc.exe	86
PID 3064 wrote to memory of 2536	3064	vbc.exe	86
PID 3064 wrote to memory of 2536	3064	vbc.exe	86
PID 3064 wrote to memory of 4084	3064	vbc.exe	87
PID 3064 wrote to memory of 4084	3064	vbc.exe	87
PID 3064 wrote to memory of 4084	3064	vbc.exe	87
PID 3064 wrote to memory of 4244	3064	vbc.exe	88
PID 3064 wrote to memory of 4244	3064	vbc.exe	88
PID 3064 wrote to memory of 4244	3064	vbc.exe	88
PID 3064 wrote to memory of 2092	3064	vbc.exe	89
PID 3064 wrote to memory of 2092	3064	vbc.exe	89
PID 3064 wrote to memory of 2092	3064	vbc.exe	89
PID 2536 wrote to memory of 2012	2536	cmd.exe	95
PID 2536 wrote to memory of 2012	2536	cmd.exe	95
PID 2536 wrote to memory of 2012	2536	cmd.exe	95
PID 4244 wrote to memory of 1712	4244	cmd.exe	96
PID 4244 wrote to memory of 1712	4244	cmd.exe	96
PID 4244 wrote to memory of 1712	4244	cmd.exe	96
PID 4084 wrote to memory of 2236	4084	cmd.exe	97
PID 4084 wrote to memory of 2236	4084	cmd.exe	97
PID 4084 wrote to memory of 2236	4084	cmd.exe	97
PID 2092 wrote to memory of 4684	2092	cmd.exe	98
PID 2092 wrote to memory of 4684	2092	cmd.exe	98
PID 2092 wrote to memory of 4684	2092	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4753a64283a684c9f060e16b34677eef_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\P2EPBO7DDM.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\P2EPBO7DDM.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\P2EPBO7DDM.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\P2EPBO7DDM.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3020-11-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3020-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3020-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3020-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/3064-15-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-6-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-3-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-17-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-18-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-19-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-21-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-22-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3064-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads