f8c73b12c29665c5c88bd7ce4ab9b609c8b82961f22f3a059a6b514149ea2f6d

General

Target

e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
Size

135KB
MD5

e95fde3755bfdc750ed7951ec8e39507
SHA1

9860efa2f66d70207bb994bec6b444e13eac8f7d
SHA256

f8c73b12c29665c5c88bd7ce4ab9b609c8b82961f22f3a059a6b514149ea2f6d
SHA512

b7bc3697a2f9b6cc14a5d069b4fef490956a88879a9ea0b4c390b121e5c53fc4bcb807e513dce04b6ce688c674becdefcf0846a80c6784c7e198c739aa9da85d
SSDEEP

3072:T6YDfgKvdZYYMT7hOLiQ1JkeqXBhS9M9I7eHlZZly8C9:TN4KvcYqcWsJkeSSOak6n9

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\srenum.sys	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ndisrd\ImagePath = "system32\\DRIVERS\\ndisrd.sys"	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\srenum\ImagePath = "SysWOW64\\DRIVERS\\srenum.sys"	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2876	drvsign.exe
2040	snetcfg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b4d0619-58c3-b040-be70-884612c42ea3}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{677580f8-67db-2648-a4e6-1773b46b3c02}\SET2A5C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{677580f8-67db-2648-a4e6-1773b46b3c02}\SET2A5C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{677580f8-67db-2648-a4e6-1773b46b3c02}\ndisrd_m.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{677580f8-67db-2648-a4e6-1773b46b3c02}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b4d0619-58c3-b040-be70-884612c42ea3}\SET2A0D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8b4d0619-58c3-b040-be70-884612c42ea3}\SET2A0D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8b4d0619-58c3-b040-be70-884612c42ea3}\ndisrd.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\msrun.exe	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeAuditPrivilege	216	svchost.exe
Token: SeSecurityPrivilege	216	svchost.exe
Token: SeLoadDriverPrivilege	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2876	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	84
PID 2524 wrote to memory of 2876	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	84
PID 2524 wrote to memory of 2876	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	84
PID 2524 wrote to memory of 2040	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	86
PID 2524 wrote to memory of 2040	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	86
PID 2524 wrote to memory of 2040	2524	e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe	86
PID 216 wrote to memory of 1432	216	svchost.exe	92
PID 216 wrote to memory of 1432	216	svchost.exe	92
PID 216 wrote to memory of 1856	216	svchost.exe	93
PID 216 wrote to memory of 1856	216	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e95fde3755bfdc750ed7951ec8e39507_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\drvsign.exe
  "drvsign.exe"
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\snetcfg.exe
  "snetcfg.exe" -v -l ndisrd.inf -m ndisrd_m.inf -c s -i nt_ndisrd
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9fa573fd-0b63-a942-8049-4c000dddb688}\ndisrd.inf" "9" "4e0e7c7cf" "0000000000000134" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1432
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6c1134dd-9496-034d-b311-c6a0ec26585e}\ndisrd_m.inf" "9" "42a2dd9fb" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvsign.exe

Filesize
76KB

MD5
1c5de8836a71c13437b4718efddf3422

SHA1
6903cb9baa15908c3f6d363f71e609c787e30974

SHA256
0e1dae071d4712c32c4d374638644a888c32d750f6289fcffad5dcf0dd2cfc8b

SHA512
0a97da0422ebe981bb33441565867ff4b53ccc08d7b680242d1e082438205303ab94d9becc43a433e4f7274e02da8b5370d4b0945c0ac6a323a23329093299ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndisrd.inf

Filesize
3KB

MD5
353c49f48000ca566f228e3315ac8234

SHA1
5a3926d58d62a1e21e0811821808a864e1f0ce7c

SHA256
16d40dabb55453cfea72d585bc3bfd30f08f45c8a5c3382881be1e0d4c9e009b

SHA512
235389aab585b64f3f8db2366b2399dab787e7600a28ec9a6f2708bc06e60060d39fe7d32ddb6d62df238038fbdb5fe432646804120b7ee423253e768c792f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndisrd_m.inf

Filesize
1KB

MD5
7b80c9479b37b499544b74ecf5b83331

SHA1
5bf31c66872d851c779a89aaa56eba3153005ed3

SHA256
3059d609beab99a06ac721eedd3d6bcba35f91a38f3c9cc362fd21002c13fedb

SHA512
6f36d763ac019da65f2ec910af7404912bf36e590e9f36944d09e1c518cca4c14f5a816d8702b318792c05be2363a7b1b65d47b288444c90b4ceeb957a091157

Download Submit
C:\Users\Admin\AppData\Local\Temp\snetcfg.exe

Filesize
13KB

MD5
88191a960f5e5e32712a98db95c21ffa

SHA1
1762de02a71fd4e0a34825be44b4e3be5ae47d5c

SHA256
32d96c634f4a97e648b467a9e040e90c854badb0424c6f8638621ab1501b6aab

SHA512
577187fdc00589b69a04afba419750f9303a312965bc715034e5e1045880d6c65374a79dc696633c98695aaf7f9193ad28c8acc36c841f594aea33e2478a1580

Download Submit
memory/2524-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2524-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2524-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2524-3-0x00000000021D0000-0x0000000002241000-memory.dmp

Filesize
452KB

Download
memory/2524-4-0x00000000021D5000-0x00000000021D6000-memory.dmp

Filesize
4KB

Download
memory/2524-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2524-44-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2524-45-0x00000000021D0000-0x0000000002241000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads