Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 02:53
Static task
static1
Behavioral task
behavioral1
Sample
8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe
-
Size
75KB
-
MD5
8ec80f0c252e4428e2e383aad8cc212a
-
SHA1
4635ab9c4a56f4846b5872c9abede2b68819fe8b
-
SHA256
dc7df90dc4e9c9898f92023224b4e20a791b728543c5ec7f5703f6880f4e42d1
-
SHA512
211a1f9db2ed646e86596e57648dc6bbb63401d1830109bd85a70092e4df490c2280e9879a845ecbe2dbd842ef7447ea8a4d9d0f966d52b4d0e96e7385fa9775
-
SSDEEP
1536:QXWwODtX2W5AUSrKev9yG0hcEptq60gm0UlBdDz7F0grZetx9mAN:YWbOrF9PC0MSlJRsIAN
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ieocx.dll 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\don't load 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\don't load\scui.cpl = "No" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\don't load\wscui.cpl = "No" 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 2336 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 30 PID 1100 wrote to memory of 880 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 31 PID 1100 wrote to memory of 880 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 31 PID 1100 wrote to memory of 880 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 31 PID 1100 wrote to memory of 880 1100 8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe 31 PID 880 wrote to memory of 2680 880 net.exe 33 PID 880 wrote to memory of 2680 880 net.exe 33 PID 880 wrote to memory of 2680 880 net.exe 33 PID 880 wrote to memory of 2680 880 net.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8ec80f0c252e4428e2e383aad8cc212a_JaffaCakes118.exe"1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll2⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD574b6a00a13cb371c4c919da8e44eac5e
SHA1baa584419445c50188ce895947bc5783bde5ea5c
SHA25621511fea07b56208026de586fd4ed1d204a2b74124f5437cc3d1deeffb21d471
SHA51273ef4be67472a7299ae024d455aadb3069ee2eef746f98a9a43b5fa2b89fcf6017a202d1b81626c1926c0920946191dab23360a8be7afb3f5e909c3565f66828