174833540eba7b9b7b6b5189e033480ca45b6fb7fbd7b2197c8fd3d94c4d1e33

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe
Size

68KB
MD5

ece40803aca1474bc51bb6fca51aa0db
SHA1

47cf4ec1d796d76a20934b120941c50330f13a0b
SHA256

174833540eba7b9b7b6b5189e033480ca45b6fb7fbd7b2197c8fd3d94c4d1e33
SHA512

2c6d266028292bef0c2c6af4eaeec3a7cf07e5bc40ef483563c0f7c0542350f90597dde05276d66bb6457e9ad10c71d52358c63d83189d6449ea79aa24a1f345
SSDEEP

768:+fIrEdhAo30eMW8/CKXjZj3CjlFj3gFv9fIrEdhAo30eMW8neu:2AokeM3/CKV9FvJAokeM3eu

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gerente = "C:\\Windows\\casita10.exe"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2872	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ece40803aca1474bc51bb6fca51aa0db_JaffaCakes118.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2872