4116dc634bbd33fab1a31b6194ad2ff237912891ecb4fa24dfdc2f257dac68b9

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe
Size

3.3MB
MD5

773d45b236c51a24defb9a713c0c905c
SHA1

6a3d7eecb062b333424f7ea853dd8a31178b04ce
SHA256

4116dc634bbd33fab1a31b6194ad2ff237912891ecb4fa24dfdc2f257dac68b9
SHA512

5073a1f347c57c151f154ab2a96d85c6b1810a2b283460b8f84a430a0122d1da5188e2f727164a513c458dbbe6641705a2959728a6c4792e7055c73a090fe067
SSDEEP

49152:iGtlq/yIU6iP/GddQoErmuMt33fOktlCi3PwHaw6nIgOR3qQDzbR5IKAhEGiPKu1:u+P/ZMt33flCjjH5IbZBu3fsm

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2840	sc.exe
1492	sc.exe
1636	sc.exe
2388	sc.exe
2916	sc.exe
2988	sc.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1532	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1532	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1532	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	31
PID 2312 wrote to memory of 2448	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2448	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2448	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2084	2448	cmd.exe	33
PID 2448 wrote to memory of 2084	2448	cmd.exe	33
PID 2448 wrote to memory of 2084	2448	cmd.exe	33
PID 2084 wrote to memory of 3016	2084	net.exe	34
PID 2084 wrote to memory of 3016	2084	net.exe	34
PID 2084 wrote to memory of 3016	2084	net.exe	34
PID 2312 wrote to memory of 2036	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	35
PID 2312 wrote to memory of 2036	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	35
PID 2312 wrote to memory of 2036	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	35
PID 2036 wrote to memory of 2800	2036	cmd.exe	36
PID 2036 wrote to memory of 2800	2036	cmd.exe	36
PID 2036 wrote to memory of 2800	2036	cmd.exe	36
PID 2800 wrote to memory of 2856	2800	net.exe	37
PID 2800 wrote to memory of 2856	2800	net.exe	37
PID 2800 wrote to memory of 2856	2800	net.exe	37
PID 2312 wrote to memory of 2040	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	38
PID 2312 wrote to memory of 2040	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	38
PID 2312 wrote to memory of 2040	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	38
PID 2040 wrote to memory of 2388	2040	cmd.exe	39
PID 2040 wrote to memory of 2388	2040	cmd.exe	39
PID 2040 wrote to memory of 2388	2040	cmd.exe	39
PID 2312 wrote to memory of 2900	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	40
PID 2312 wrote to memory of 2900	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	40
PID 2312 wrote to memory of 2900	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	40
PID 2900 wrote to memory of 2916	2900	cmd.exe	41
PID 2900 wrote to memory of 2916	2900	cmd.exe	41
PID 2900 wrote to memory of 2916	2900	cmd.exe	41
PID 2312 wrote to memory of 2960	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	42
PID 2312 wrote to memory of 2960	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	42
PID 2312 wrote to memory of 2960	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	42
PID 2960 wrote to memory of 2988	2960	cmd.exe	43
PID 2960 wrote to memory of 2988	2960	cmd.exe	43
PID 2960 wrote to memory of 2988	2960	cmd.exe	43
PID 2312 wrote to memory of 2904	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	44
PID 2312 wrote to memory of 2904	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	44
PID 2312 wrote to memory of 2904	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	44
PID 2904 wrote to memory of 2840	2904	cmd.exe	45
PID 2904 wrote to memory of 2840	2904	cmd.exe	45
PID 2904 wrote to memory of 2840	2904	cmd.exe	45
PID 2312 wrote to memory of 2816	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	46
PID 2312 wrote to memory of 2816	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	46
PID 2312 wrote to memory of 2816	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	46
PID 2816 wrote to memory of 1492	2816	cmd.exe	47
PID 2816 wrote to memory of 1492	2816	cmd.exe	47
PID 2816 wrote to memory of 1492	2816	cmd.exe	47
PID 2312 wrote to memory of 2844	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	48
PID 2312 wrote to memory of 2844	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	48
PID 2312 wrote to memory of 2844	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	48
PID 2844 wrote to memory of 1636	2844	cmd.exe	49
PID 2844 wrote to memory of 1636	2844	cmd.exe	49
PID 2844 wrote to memory of 1636	2844	cmd.exe	49
PID 2312 wrote to memory of 2984	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	50
PID 2312 wrote to memory of 2984	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	50
PID 2312 wrote to memory of 2984	2312	773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe	50
PID 2984 wrote to memory of 2828	2984	cmd.exe	51
PID 2984 wrote to memory of 2828	2984	cmd.exe	51
PID 2984 wrote to memory of 2828	2984	cmd.exe	51
PID 2828 wrote to memory of 2996	2828	net.exe	52

C:\Users\Admin\AppData\Local\Temp\773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\773d45b236c51a24defb9a713c0c905c_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop FACEIT >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop ESEADriver2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop capsom >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\net.exe
    net stop capsom
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop capsom
      4⤵
      PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop capsom.sys >nul 2>&1
  2⤵
  PID:2968
- - C:\Windows\system32\net.exe
    net stop capsom.sys
    3⤵
    PID:2144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop capsom.sys
      4⤵
      PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1680