cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

General

Target

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
Size

15.9MB
MD5

1f6ffbf88537755b91d44ef7f2adec54
SHA1

e85536f40c73aa0293645bc0e61c4290af3a0b65
SHA256

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b
SHA512

bc0922aa3a79d6790c4c21b7c404d439233120772528ddcb96c390f276e91f9f162d6a490e02ee4bd963aa02ec15ed88e202e75155e02b1e41a593372fe8f161
SSDEEP

393216:+/wVJkOBL+pielCMp6RY7x7SYxJoJuJpcPU0Rruuezx6:+amqL+pi2CUoSVqRzez

Score

8^/10

agilenet evasion execution vmprotect

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Loads dropped DLL 1 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

pid process

2164 1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 10 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2164-6-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net
behavioral1/memory/2164-5-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net
behavioral1/memory/2164-15-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net
behavioral1/memory/2164-16-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net
behavioral1/memory/2164-40-0x0000000006340000-0x00000000063A6000-memory.dmp	agile_net
behavioral1/memory/2164-35-0x0000000005F30000-0x0000000005F54000-memory.dmp	agile_net
behavioral1/memory/2164-46-0x0000000022800000-0x0000000022A8E000-memory.dmp	agile_net
behavioral1/memory/2164-59-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net
behavioral1/memory/2164-58-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net
behavioral1/memory/2164-65-0x0000000001280000-0x0000000003F28000-memory.dmp	agile_net

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2164-22-0x0000000001210000-0x000000000124E000-memory.dmp	vmprotect
behavioral1/memory/2164-23-0x0000000000C00000-0x0000000000C2C000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

pid	process
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1632 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2768 taskkill.exe
2792 taskkill.exe
2756 taskkill.exe
2740 taskkill.exe
2724 taskkill.exe

pid	process
1632	sc.exe

pid	process
2768	taskkill.exe
2792	taskkill.exe
2756	taskkill.exe
2740	taskkill.exe
2724	taskkill.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

pid	process
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2164 wrote to memory of 2560	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2560	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2560	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2552	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2552	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2552	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 1016	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 1016	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 1016	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2384	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2384	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2384	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2380	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2380	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2380	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2400	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2400	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 2164 wrote to memory of 2400	2164	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 1016 wrote to memory of 1632	1016	cmd.exe	sc.exe
PID 1016 wrote to memory of 1632	1016	cmd.exe	sc.exe
PID 1016 wrote to memory of 1632	1016	cmd.exe	sc.exe
PID 2384 wrote to memory of 2768	2384	cmd.exe	taskkill.exe
PID 2384 wrote to memory of 2768	2384	cmd.exe	taskkill.exe
PID 2384 wrote to memory of 2768	2384	cmd.exe	taskkill.exe
PID 2560 wrote to memory of 2792	2560	cmd.exe	taskkill.exe
PID 2560 wrote to memory of 2792	2560	cmd.exe	taskkill.exe
PID 2560 wrote to memory of 2792	2560	cmd.exe	taskkill.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	taskkill.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	taskkill.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	taskkill.exe
PID 2380 wrote to memory of 2740	2380	cmd.exe	taskkill.exe
PID 2380 wrote to memory of 2740	2380	cmd.exe	taskkill.exe
PID 2380 wrote to memory of 2740	2380	cmd.exe	taskkill.exe
PID 2400 wrote to memory of 2756	2400	cmd.exe	taskkill.exe
PID 2400 wrote to memory of 2756	2400	cmd.exe	taskkill.exe
PID 2400 wrote to memory of 2756	2400	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM UnrealCEFSubProcess.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\taskkill.exe
taskkill /F /IM UnrealCEFSubProcess.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM EpicGamesLauncher.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\system32\taskkill.exe
taskkill /F /IM EpicGamesLauncher.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop HTTPDebuggerPro
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:1632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM IPROSetMonitor.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\taskkill.exe
taskkill /F /IM IPROSetMonitor.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM "Razer Synapse Service Process.exe" /T
2⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\taskkill.exe
taskkill /F /IM "Razer Synapse Service Process.exe" /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM "Razer Synapse Service.exe" /T
2⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\system32\taskkill.exe
taskkill /F /IM "Razer Synapse Service.exe" /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\333d975b-78a7-46ce-aaa9-98c12a985d28\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb418E.tmp
Filesize
1KB

MD5
873e89965c183ad9c2bb55eed0622261

SHA1
57380dfdae3d91d49eb8988b3d0a0aad946584db

SHA256
4548fe128bc1ac730a805f7b57922a82b61999b9e3f6a6b0d5e0488015d2671f

SHA512
0ede0724fa3ccb965f769f3caf24f3a463bb444a55f0c04ad549225826436d1eee6112a313227941f50e4591924a904da51bf4461d2a12d62d7cfbe8325a1aa4

Download Submit
memory/2164-22-0x0000000001210000-0x000000000124E000-memory.dmp

Filesize
248KB

Download
memory/2164-11-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-12-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-23-0x0000000000C00000-0x0000000000C2C000-memory.dmp

Filesize
176KB

Download
memory/2164-10-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-30-0x000007FEF4520000-0x000007FEF464C000-memory.dmp

Filesize
1.2MB

Download
memory/2164-8-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-7-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-6-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-5-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-3-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-2-0x0000000077711000-0x0000000077712000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2164-15-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-16-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-17-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-64-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-14-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-9-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-13-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-41-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download
memory/2164-40-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/2164-35-0x0000000005F30000-0x0000000005F54000-memory.dmp

Filesize
144KB

Download
memory/2164-48-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-47-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-46-0x0000000022800000-0x0000000022A8E000-memory.dmp

Filesize
2.6MB

Download
memory/2164-53-0x0000000022320000-0x00000000223D0000-memory.dmp

Filesize
704KB

Download
memory/2164-4-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-59-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-58-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-61-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2164-60-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2164-65-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-0-0x0000000001280000-0x0000000003F28000-memory.dmp

Filesize
44.7MB

Download
memory/2164-63-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads