Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 04:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe
-
Size
352KB
-
MD5
4826e3d9a775d82209a1d3db23ae6b44
-
SHA1
7bcc1c46b20690b1f316ee64882340992efd80fb
-
SHA256
40dce9ca641144297bfe32cca4c147be4c725a55c3f7c2458ee5cc91bab15b70
-
SHA512
ad10fcd1611be1492abd39c2f731c1c48c27634e39941230a2f288cc0eaab570052eaa9da9a7e8239e4d7728c89a965d07aa6decad57ea0122ccfda822d50eee
-
SSDEEP
6144:JjttqWASxQ0rShyGlReFjbjfhyqQMRYNYoDvohAi3lFeB6M2Xf3:JWWDQcShyGloFjbTA1KmNo/VFC6l
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000BD86DB4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000BD86DB4EB2331.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2556 043A6AEB00014973000BD86DB4EB2331.exe -
Executes dropped EXE 1 IoCs
pid Process 2556 043A6AEB00014973000BD86DB4EB2331.exe -
Loads dropped DLL 2 IoCs
pid Process 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 043A6AEB00014973000BD86DB4EB2331.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc 043A6AEB00014973000BD86DB4EB2331.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000BD86DB4EB2331.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\%s\ = "043A6" 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\ = "Application" 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\Content Type = "application/x-msdownload" 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\DefaultIcon\ = "%1" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\open 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\start\command 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\runas 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe\ = "043A6" 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\runas\command\ = "\"%1\" %*" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\open\command 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\start\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.exe 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\open\command\ = "\"C:\\ProgramData\\043A6AEB00014973000BD86DB4EB2331\\043A6AEB00014973000BD86DB4EB2331.exe\" -s \"%1\" %*" 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\open\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\start 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\runas\command 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\runas\command\IsolatedCommand = "\"%1\" %*" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\DefaultIcon 043A6AEB00014973000BD86DB4EB2331.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\043A6\shell\start\command\ = "\"%1\" %*" 043A6AEB00014973000BD86DB4EB2331.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\%s 043A6AEB00014973000BD86DB4EB2331.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2556 043A6AEB00014973000BD86DB4EB2331.exe 2556 043A6AEB00014973000BD86DB4EB2331.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2556 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe 29 PID 2064 wrote to memory of 2556 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe 29 PID 2064 wrote to memory of 2556 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe 29 PID 2064 wrote to memory of 2556 2064 4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe 29 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 043A6AEB00014973000BD86DB4EB2331.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\ProgramData\043A6AEB00014973000BD86DB4EB2331\043A6AEB00014973000BD86DB4EB2331.exe"C:\ProgramData\043A6AEB00014973000BD86DB4EB2331\043A6AEB00014973000BD86DB4EB2331.exe" -d "C:\Users\Admin\AppData\Local\Temp\4826e3d9a775d82209a1d3db23ae6b44_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328B
MD54ebcc6438607b87c891b9cecdd8ec5c5
SHA14985e817fcd4207d132c2d503db6e0fbb81724a3
SHA256aa867a5bafb17c2f078a91171b475647a7750ece6016a815778c60f452a2a8b2
SHA512177c4c2f5dc99d9ab19054745b026e9a0d12f0de93f0d466134e595030d61cc52201a7f54dba98840b57eca8c4ee19ac85d3ac6e3096730a9fcdaa0ec35c8970
-
Filesize
352KB
MD54826e3d9a775d82209a1d3db23ae6b44
SHA17bcc1c46b20690b1f316ee64882340992efd80fb
SHA25640dce9ca641144297bfe32cca4c147be4c725a55c3f7c2458ee5cc91bab15b70
SHA512ad10fcd1611be1492abd39c2f731c1c48c27634e39941230a2f288cc0eaab570052eaa9da9a7e8239e4d7728c89a965d07aa6decad57ea0122ccfda822d50eee