9678948e21027247d80264c524f3b88e71a83393e15dd9e42b20b9bda9759603

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 02:23

Target

5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
Size

16KB
MD5

5eac2c707c748434b14993582f62a679
SHA1

df603f3d98ed574a72c54415b22be65cb9cf6cf2
SHA256

9678948e21027247d80264c524f3b88e71a83393e15dd9e42b20b9bda9759603
SHA512

b02143f296e4efc2db698fd8bffc48144712259ba1cb6c4520377e9263dec1cc2f19a2cefbf3430d7be524e6a38f31d3a2e9bc66aadcad4c8295af3cad3a0e10
SSDEEP

192:ofzy2j9N/lfXNnITBrnOHbFGOPx1Q5ubiOPqr/M8HyaoVdmnYQdR:Yzy25NF9nc5nQJ1Q5ubiND8Vdmh

Score

10^/10

evasion execution

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\aksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\delksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ksuser.dll	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1060	sc.exe
2116	sc.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3196	taskkill.exe
1952	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 3488	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	84
PID 2724 wrote to memory of 3488	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	84
PID 2724 wrote to memory of 3488	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	84
PID 2724 wrote to memory of 1060	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	85
PID 2724 wrote to memory of 1060	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	85
PID 2724 wrote to memory of 1060	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	85
PID 2724 wrote to memory of 3196	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	86
PID 2724 wrote to memory of 3196	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	86
PID 2724 wrote to memory of 3196	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	86
PID 2724 wrote to memory of 2116	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	87
PID 2724 wrote to memory of 2116	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	87
PID 2724 wrote to memory of 2116	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	87
PID 2724 wrote to memory of 1952	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	88
PID 2724 wrote to memory of 1952	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	88
PID 2724 wrote to memory of 1952	2724	5eac2c707c748434b14993582f62a679_JaffaCakes118.exe	88
PID 3488 wrote to memory of 976	3488	net.exe	94
PID 3488 wrote to memory of 976	3488	net.exe	94
PID 3488 wrote to memory of 976	3488	net.exe	94

C:\Users\Admin\AppData\Local\Temp\5eac2c707c748434b14993582f62a679_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5eac2c707c748434b14993582f62a679_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:976
- C:\Windows\SysWOW64\sc.exe
  sc config cryptsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im soul.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\SysWOW64\sc.exe
  sc delete cryptsvc
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im zeroonline.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1952