eeabb667e2816f51ea080fb3db429fe324bb5284a89b0fe190835cbf0bcf3af4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 17:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Size

96KB
MD5

0feba98e795edb3d838e5b8cdddab92f
SHA1

961bbd83750114e263b49b051057709046f2b1de
SHA256

eeabb667e2816f51ea080fb3db429fe324bb5284a89b0fe190835cbf0bcf3af4
SHA512

df58039264ff3e274586f8f6998688b705946189ebae152be1b93cbe3fff5f2b671b1795a6e274d19ff6734cffc50c6afe24a890358589a4b19f61f2f87a4728
SSDEEP

1536:wGMfq8nvVDX2HT6PqVL2LrNMYTHStqkeDXPz/9L35+ltY6FWPkj1hLZWYLsY/GBl:knVDpRzSleDX7/9L35Px8hLZWYLb/GBl

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wscntfy.exe	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wscntfy.exe	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\PhishingFilter	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3028	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
3028	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0feba98e795edb3d838e5b8cdddab92f_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3028