0cabfcdb41669c32f3f9a14a2e55fca95c3bbc9b053c961ff8d5c7ac27c898f5

Analysis

max time kernel
147s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Size

48KB
MD5

89b1c199e235a3c18813de82ab3651ed
SHA1

f6d5c58dbfb6b6895097270bd6e222dff5ddcb6f
SHA256

0cabfcdb41669c32f3f9a14a2e55fca95c3bbc9b053c961ff8d5c7ac27c898f5
SHA512

8236916e9e328e5fbb82a749a5ff40c85b127db7b9b04e0c4736c3073970588adc2d6bcb43f8e3eb98ddd752093abcb7260573345b6de0d94ea22b9a387ab14b
SSDEEP

768:p2xs2ADqegxlaDsBZyR10IkReO9hVjkCbtGdS002Fr:p2xYDqHx8DKZiWIk99w0N0V

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe

Disables Task Manager via registry modification
evasion

Modifies Shared Task Scheduler registry keys 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487CC-FC04-4B1E-863F-D9801796230B} = "Windows Installer Class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\IPC Configuration Utility = "IPC Configuration Utility"	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	rundll32.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\~tmp.html"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Desktop\General	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Users\\Admin\\AppData\\Roaming\\~tmp.html"	rundll32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wndutl32.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32\ThreadingModel = "Apartment"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wndutl32.dll"	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\{020487CC-FC04-4B1E-863F-D9801796230B}\Apartment = "Apartment"	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe
2360	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 2360	528	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe	84
PID 528 wrote to memory of 2360	528	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe	84
PID 528 wrote to memory of 2360	528	89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe	84

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89b1c199e235a3c18813de82ab3651ed_JaffaCakes118.exe"
1⤵
- Modifies Shared Task Scheduler registry keys
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\wndutl32.dll,load
  2⤵
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Modifies Shared Task Scheduler registry keys
  - Loads dropped DLL
  - Windows security modification
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - System policy modification
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wndutl32.dll

Filesize
13KB

MD5
92c2f5c069fcf957f641faa880a6ee9f

SHA1
4d6adbca20982f086f0523ac7bce2fc224edac35

SHA256
5b62577023c598eabb68c080189d41ba67fe084270ac6bccbb053ba3ee2d865e

SHA512
4ffb6d8418aac7780286c46e2ae35ccca5f6d5f3d472e8fe5b1298aeda023d3e524b9eb8dcfd338a0100da4bc440c90af52fb914439e1c0362bc128d9538b676

Download Submit
memory/528-0-0x0000000000403000-0x000000000040D000-memory.dmp

Filesize
40KB

Download
memory/528-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/528-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/528-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/528-9-0x0000000000403000-0x000000000040D000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads