f8c73b12c29665c5c88bd7ce4ab9b609c8b82961f22f3a059a6b514149ea2f6d

General

Target

e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
Size

135KB
MD5

e95fde3755bfdc750ed7951ec8e39507
SHA1

9860efa2f66d70207bb994bec6b444e13eac8f7d
SHA256

f8c73b12c29665c5c88bd7ce4ab9b609c8b82961f22f3a059a6b514149ea2f6d
SHA512

b7bc3697a2f9b6cc14a5d069b4fef490956a88879a9ea0b4c390b121e5c53fc4bcb807e513dce04b6ce688c674becdefcf0846a80c6784c7e198c739aa9da85d
SSDEEP

3072:T6YDfgKvdZYYMT7hOLiQ1JkeqXBhS9M9I7eHlZZly8C9:TN4KvcYqcWsJkeSSOak6n9

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ndisrd\ImagePath = "system32\\DRIVERS\\ndisrd.sys"	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	drvsign.exe
2604	snetcfg.exe

Loads dropped DLL 4 IoCs

pid	Process
2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1df79c56-8609-3a41-10a0-255058ccd210}\SET37C3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1df79c56-8609-3a41-10a0-255058ccd210}\SET37C3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1df79c56-8609-3a41-10a0-255058ccd210}\ndisrd.inf	DrvInst.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2516	rundll32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2604	snetcfg.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe
Token: SeRestorePrivilege	2516	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2276	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2276	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2276	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2276	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2604	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2604	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2604	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	30
PID 2168 wrote to memory of 2604	2168	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	30
PID 2576 wrote to memory of 2516	2576	DrvInst.exe	33
PID 2576 wrote to memory of 2516	2576	DrvInst.exe	33
PID 2576 wrote to memory of 2516	2576	DrvInst.exe	33

C:\Users\Admin\AppData\Local\Temp\e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\drvsign.exe
  "drvsign.exe"
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\snetcfg.exe
  "snetcfg.exe" -v -l ndisrd.inf -m ndisrd_m.inf -c s -i nt_ndisrd
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5add1c8f-fcc6-7982-280e-cd0223ba2b1d}\ndisrd.inf" "9" "6e0e7c7cf" "0000000000000558" "WinSta0\Default" "0000000000000398" "208" "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{145aef9e-e9c1-33c6-aa5d-4436e6d29436} Global\{29a3b370-0d3b-42d8-4d9f-490d29c24356} C:\Windows\System32\DriverStore\Temp\{1df79c56-8609-3a41-10a0-255058ccd210}\ndisrd.inf
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ndisrd.inf

Filesize
3KB

MD5
353c49f48000ca566f228e3315ac8234

SHA1
5a3926d58d62a1e21e0811821808a864e1f0ce7c

SHA256
16d40dabb55453cfea72d585bc3bfd30f08f45c8a5c3382881be1e0d4c9e009b

SHA512
235389aab585b64f3f8db2366b2399dab787e7600a28ec9a6f2708bc06e60060d39fe7d32ddb6d62df238038fbdb5fe432646804120b7ee423253e768c792f47

Download Submit
\Users\Admin\AppData\Local\Temp\drvsign.exe

Filesize
76KB

MD5
1c5de8836a71c13437b4718efddf3422

SHA1
6903cb9baa15908c3f6d363f71e609c787e30974

SHA256
0e1dae071d4712c32c4d374638644a888c32d750f6289fcffad5dcf0dd2cfc8b

SHA512
0a97da0422ebe981bb33441565867ff4b53ccc08d7b680242d1e082438205303ab94d9becc43a433e4f7274e02da8b5370d4b0945c0ac6a323a23329093299ba

Download Submit
\Users\Admin\AppData\Local\Temp\snetcfg.exe

Filesize
13KB

MD5
88191a960f5e5e32712a98db95c21ffa

SHA1
1762de02a71fd4e0a34825be44b4e3be5ae47d5c

SHA256
32d96c634f4a97e648b467a9e040e90c854badb0424c6f8638621ab1501b6aab

SHA512
577187fdc00589b69a04afba419750f9303a312965bc715034e5e1045880d6c65374a79dc696633c98695aaf7f9193ad28c8acc36c841f594aea33e2478a1580

Download Submit
memory/2168-3-0x0000000000220000-0x0000000000291000-memory.dmp

Filesize
452KB

Download
memory/2168-4-0x0000000000225000-0x0000000000226000-memory.dmp

Filesize
4KB

Download
memory/2168-5-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2168-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2168-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2168-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2168-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2168-38-0x0000000000220000-0x0000000000291000-memory.dmp

Filesize
452KB

Download
memory/2516-35-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download
memory/2516-39-0x0000000001C40000-0x0000000001C41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads