7c763f08655cae3ac7949f5b0980c130cea9b0cacba5cce78aa624bd4fc17f40

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 07:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Size

26KB
MD5

ea91bab7081766a6081302140445c338
SHA1

c29a5dbe23fa6c28b4f4020d72650c38a6a0388a
SHA256

7c763f08655cae3ac7949f5b0980c130cea9b0cacba5cce78aa624bd4fc17f40
SHA512

2af57aedd891a4e3dfc7921ba4b5ceb95f5c75752f5f24a300e2f653e22734812a4d0507e3a6881a0d750b42e0bbe873bfa5ba9558e68f1b125800b6ec4078e4
SSDEEP

768:u7aFxbNgbfaR6K/YY871Tj9dhZgG2ngQY:uI+bfa4SYYgh7IE

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTRAY.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\debugger = "C:\\Windows\\system32\\dllcache\\spoolsv.exe"	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\skv\ImagePath = "\\??\\C:\\Windows\\Fonts\\skv.fon"	rundll32.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1296	avpp.pif

Loads dropped DLL 7 IoCs

pid	Process
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\u:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\v:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\y:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\h:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\k:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\l:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\n:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\o:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\x:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\z:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\e:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\g:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\w:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\j:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\q:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\r:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\s:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\t:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\i:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened (read-only)	\??\p:	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\c:\AUTORUN.INF	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened for modification	\??\c:\AUTORUN.INF	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File created	\??\f:\AUTORUN.INF	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened for modification	\??\f:\AUTORUN.INF	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dllcache\linkinfo.dll	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\avpp.pif	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File opened for modification	C:\Program Files\avpp.pif	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\skv.fon	rundll32.exe
File created	C:\Windows\fonts\fangdapp.sys	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
File created	C:\Windows\fonts\naks.sys	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2508	sc.exe
2532	sc.exe
2780	sc.exe
2492	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
1296	avpp.pif
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
2964	rundll32.exe
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe
Token: SeDebugPrivilege	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1296	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	28
PID 836 wrote to memory of 1296	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	28
PID 836 wrote to memory of 1296	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	28
PID 836 wrote to memory of 1296	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	28
PID 1296 wrote to memory of 2424	1296	avpp.pif	29
PID 1296 wrote to memory of 2424	1296	avpp.pif	29
PID 1296 wrote to memory of 2424	1296	avpp.pif	29
PID 1296 wrote to memory of 2424	1296	avpp.pif	29
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 2424 wrote to memory of 2964	2424	cmd.exe	31
PID 836 wrote to memory of 2496	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	32
PID 836 wrote to memory of 2496	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	32
PID 836 wrote to memory of 2496	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	32
PID 836 wrote to memory of 2496	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	32
PID 836 wrote to memory of 2488	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	33
PID 836 wrote to memory of 2488	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	33
PID 836 wrote to memory of 2488	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	33
PID 836 wrote to memory of 2488	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	33
PID 836 wrote to memory of 2736	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	35
PID 836 wrote to memory of 2736	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	35
PID 836 wrote to memory of 2736	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	35
PID 836 wrote to memory of 2736	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	35
PID 836 wrote to memory of 2768	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	36
PID 836 wrote to memory of 2768	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	36
PID 836 wrote to memory of 2768	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	36
PID 836 wrote to memory of 2768	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	36
PID 836 wrote to memory of 2704	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	39
PID 836 wrote to memory of 2704	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	39
PID 836 wrote to memory of 2704	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	39
PID 836 wrote to memory of 2704	836	ea91bab7081766a6081302140445c338_JaffaCakes118.exe	39
PID 2736 wrote to memory of 2508	2736	cmd.exe	43
PID 2736 wrote to memory of 2508	2736	cmd.exe	43
PID 2736 wrote to memory of 2508	2736	cmd.exe	43
PID 2736 wrote to memory of 2508	2736	cmd.exe	43
PID 2768 wrote to memory of 2492	2768	cmd.exe	42
PID 2768 wrote to memory of 2492	2768	cmd.exe	42
PID 2768 wrote to memory of 2492	2768	cmd.exe	42
PID 2768 wrote to memory of 2492	2768	cmd.exe	42
PID 2488 wrote to memory of 2532	2488	cmd.exe	44
PID 2488 wrote to memory of 2532	2488	cmd.exe	44
PID 2488 wrote to memory of 2532	2488	cmd.exe	44
PID 2488 wrote to memory of 2532	2488	cmd.exe	44
PID 2496 wrote to memory of 2776	2496	cmd.exe	45
PID 2496 wrote to memory of 2776	2496	cmd.exe	45
PID 2496 wrote to memory of 2776	2496	cmd.exe	45
PID 2496 wrote to memory of 2776	2496	cmd.exe	45
PID 2704 wrote to memory of 2780	2704	cmd.exe	46
PID 2704 wrote to memory of 2780	2704	cmd.exe	46
PID 2704 wrote to memory of 2780	2704	cmd.exe	46
PID 2704 wrote to memory of 2780	2704	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\ea91bab7081766a6081302140445c338_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea91bab7081766a6081302140445c338_JaffaCakes118.exe"
1⤵
- Sets file execution options in registry
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files\avpp.pif
  "C:\Program Files\avpp.pif"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c rundll32 Runt.dll,RundllTest
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 Runt.dll,RundllTest
      4⤵
      Sets service image path in registry
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: LoadsDriver
      PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net1 start server
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\net1.exe
    net1 start server
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RavCCenter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\sc.exe
    sc delete RavCCenter
    3⤵
    - Launches sc.exe
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RsScanSrv
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\sc.exe
    sc delete RsScanSrv
    3⤵
    - Launches sc.exe
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RavTask
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\sc.exe
    sc delete RavTask
    3⤵
    - Launches sc.exe
    PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c sc delete RsRavMon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\sc.exe
    sc delete RsRavMon
    3⤵
    - Launches sc.exe
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
6be89083797c510ba7d2f60862cb56f2

SHA1
25ea4be4c4744d5cb3074a34236bf62672939556

SHA256
0eeec319979f29f56ce95dc5b2ff5f152b47fd399356b58114f745e5e04d4995

SHA512
9c67aba4b14dcef46c031b2d68b86dec493bb4e2ef5a20c21e613eb050f0a9f55837829e194eb1f05c87c8bc0f50c466f12179ab7c7c67cb9508a266e96c3c0a

Download Submit
\Program Files\avpp.pif

Filesize
8KB

MD5
885768d57dbcc57d9f34001ad81fb9a4

SHA1
4a6855576916f0b4aa87e3a99f079275bb243c53

SHA256
c6c4bd80527977ee389af6a1d25ed10d43504bf5bceab36481ced2cc0df94990

SHA512
28131a0e2a5784337058ff7368000d6386fcbf4b418f5351a9b0aa6bc6e5d313cf580e59e2ab863fc4082c60d4de4c99369034f9da412c27c52ff831c0212263

Download Submit
\Users\Admin\AppData\Local\Temp\dll4BFE.tmp

Filesize
12KB

MD5
8f25a0d7ce4fa3d03310212c760af7c7

SHA1
2d1f05bbdfea5905cccb7f9c5c1845eff13466d5

SHA256
bd3af985c23dba2673e1add8eb294adf12a3da1d735ac4f3d09e9eb81221b5a3

SHA512
4ed3b64aea86b1fa4e41165e28ea1887fb30a4e918f38860c0ea6ea6dbda53d9daada10ad97999cac11b92d7196d613fd356d0e9ead19e5a32cb64f793deb42b

Download Submit
memory/836-5-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/836-9-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/836-26-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/836-27-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1296-12-0x0000000013140000-0x0000000013143000-memory.dmp

Filesize
12KB

Download
memory/2964-19-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download