fc5ddda06e1aabc03a206e45f7e87f7dd26f75711b05737c6d38ad17b653539d

Analysis

max time kernel
141s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
Size

31KB
MD5

eda40c1a2725c7c2d83bfd37e85fe9cf
SHA1

9e4cb614a7a73297aaa2ec893fe2858251d7ef76
SHA256

fc5ddda06e1aabc03a206e45f7e87f7dd26f75711b05737c6d38ad17b653539d
SHA512

fd507d5c44dde7c3f4b3779c38f725118e4517fba5fc78e9c25b795e5ad268b3a65515cde102765b5271a0fdfeb12e73a685832a8a163024bd4d37cab51f29f1
SSDEEP

768:Vb7/Nm6FhTTVLKSo34urx1pazkXHiKXWSPPVnbcuyD7UoNWGo:i+TVLLo7rbp9HlvFnouy84C

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360se = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\k:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\p:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\m:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\n:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\r:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\u:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\w:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\x:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\g:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\h:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\i:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\j:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\l:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\s:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\v:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\o:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\q:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\t:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\y:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened (read-only)	\??\z:	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259456650.DEP	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rgdltecq\ohoifz.pif	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\rgdltecq\ohoifz.pif	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
Token: SeDebugPrivilege	2668	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eda40c1a2725c7c2d83bfd37e85fe9cf_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259456650.DEP

Filesize
12.1MB

MD5
ae09f1262f58a45ef1bacb86b4010959

SHA1
033930360bf0af5b7b50fcb0beb4bf57e03c26da

SHA256
adc0e6d26933aa128ad37f2c8d0364eef15c602141f4d3bcdaf0697635350b15

SHA512
a501fc963f6fc064a3ff98714198676bce838795c8b4bd5e4fea6fc72685704faf015b9670f2433c09c45a29dbe6d920bd55c2dd8e4d11a99a90487e74a18216

Download Submit
memory/2668-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download