05036cdefed1e2e405eb6b288aacf6c2df59e780de8c2493d76fc14c0b42aa8b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 17:10

Target

46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
Size

189KB
MD5

46c0c7389221733ef367a47614bcd683
SHA1

2453191977629235cc8a9ef81e64dcda2f7cd5dc
SHA256

05036cdefed1e2e405eb6b288aacf6c2df59e780de8c2493d76fc14c0b42aa8b
SHA512

6704d1a2e72d99523e87ab36331acafd86f5802ef05bd7dba5169f5c9814da0718e141331a1c8c7e405b7169de6994ce8d4ed84fe8b68b068745524f28c54d93
SSDEEP

3072:GEHGP1HGCqWpkmP46b5NOiT8zMMJDRQN2ajzKUx+WJ26sBSZjVIidm3ZMFRJwdT3:GEmPlpk846FNOiTQDtRQzjGeRZ5NjRaJ

Score

10^/10

Modifies WinLogon for persistence 2 TTPs 1 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe QQ.exe"	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 5 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\2046:TCP = "2046:TCP:*:Enabled"	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\QQ.exe	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\QQ.exe	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\QQ.dll	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\QQHook.dll	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2520	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 768	2520	46c0c7389221733ef367a47614bcd683_JaffaCakes118.exe	8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:768