cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

General

Target

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
Size

15.9MB
MD5

1f6ffbf88537755b91d44ef7f2adec54
SHA1

e85536f40c73aa0293645bc0e61c4290af3a0b65
SHA256

cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b
SHA512

bc0922aa3a79d6790c4c21b7c404d439233120772528ddcb96c390f276e91f9f162d6a490e02ee4bd963aa02ec15ed88e202e75155e02b1e41a593372fe8f161
SSDEEP

393216:+/wVJkOBL+pielCMp6RY7x7SYxJoJuJpcPU0Rruuezx6:+amqL+pi2CUoSVqRzez

Score

8^/10

agilenet evasion execution vmprotect

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

pid process

3328 1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3328-5-0x00000000001D0000-0x0000000002E78000-memory.dmp	agile_net
behavioral2/memory/3328-4-0x00000000001D0000-0x0000000002E78000-memory.dmp	agile_net
behavioral2/memory/3328-8-0x00000000001D0000-0x0000000002E78000-memory.dmp	agile_net
behavioral2/memory/3328-27-0x0000000002EF0000-0x0000000002F14000-memory.dmp	agile_net
behavioral2/memory/3328-32-0x0000000002F90000-0x0000000002FF6000-memory.dmp	agile_net
behavioral2/memory/3328-40-0x0000000003290000-0x000000000351E000-memory.dmp	agile_net
behavioral2/memory/3328-51-0x00000000001D0000-0x0000000002E78000-memory.dmp	agile_net

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3328-13-0x0000000002E80000-0x0000000002EBE000-memory.dmp	vmprotect
behavioral2/memory/3328-15-0x000002873D560000-0x000002873D58C000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

pid process

3328 1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
3328 1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4528 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5024 taskkill.exe
2464 taskkill.exe
2392 taskkill.exe
2308 taskkill.exe
952 taskkill.exe

pid	process
4528	sc.exe

pid	process
5024	taskkill.exe
2464	taskkill.exe
2392	taskkill.exe
2308	taskkill.exe
952	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

pid	process
3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3328 wrote to memory of 3712	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 3712	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 4380	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 4380	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 2876	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 2876	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 1828	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 1828	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 4976	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 4976	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 4108	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 3328 wrote to memory of 4108	3328	1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe	cmd.exe
PID 4380 wrote to memory of 5024	4380	cmd.exe	taskkill.exe
PID 4380 wrote to memory of 5024	4380	cmd.exe	taskkill.exe
PID 3712 wrote to memory of 2464	3712	cmd.exe	taskkill.exe
PID 3712 wrote to memory of 2464	3712	cmd.exe	taskkill.exe
PID 2876 wrote to memory of 4528	2876	cmd.exe	sc.exe
PID 2876 wrote to memory of 4528	2876	cmd.exe	sc.exe
PID 4108 wrote to memory of 2392	4108	cmd.exe	taskkill.exe
PID 4108 wrote to memory of 2392	4108	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 2308	1828	cmd.exe	taskkill.exe
PID 1828 wrote to memory of 2308	1828	cmd.exe	taskkill.exe
PID 4976 wrote to memory of 952	4976	cmd.exe	taskkill.exe
PID 4976 wrote to memory of 952	4976	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f6ffbf88537755b91d44ef7f2adec54_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM UnrealCEFSubProcess.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\taskkill.exe
taskkill /F /IM UnrealCEFSubProcess.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM EpicGamesLauncher.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /F /IM EpicGamesLauncher.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop HTTPDebuggerPro
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM IPROSetMonitor.exe /T
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\system32\taskkill.exe
taskkill /F /IM IPROSetMonitor.exe /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM "Razer Synapse Service Process.exe" /T
2⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\system32\taskkill.exe
taskkill /F /IM "Razer Synapse Service Process.exe" /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM "Razer Synapse Service.exe" /T
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\taskkill.exe
taskkill /F /IM "Razer Synapse Service.exe" /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\333d975b-78a7-46ce-aaa9-98c12a985d28\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb43DA.tmp

Filesize
1KB

MD5
873e89965c183ad9c2bb55eed0622261

SHA1
57380dfdae3d91d49eb8988b3d0a0aad946584db

SHA256
4548fe128bc1ac730a805f7b57922a82b61999b9e3f6a6b0d5e0488015d2671f

SHA512
0ede0724fa3ccb965f769f3caf24f3a463bb444a55f0c04ad549225826436d1eee6112a313227941f50e4591924a904da51bf4461d2a12d62d7cfbe8325a1aa4

Download Submit
memory/3328-4-0x00000000001D0000-0x0000000002E78000-memory.dmp

Filesize
44.7MB

Download
memory/3328-51-0x00000000001D0000-0x0000000002E78000-memory.dmp

Filesize
44.7MB

Download
memory/3328-3-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-5-0x00000000001D0000-0x0000000002E78000-memory.dmp

Filesize
44.7MB

Download
memory/3328-0-0x00000000001D0000-0x0000000002E78000-memory.dmp

Filesize
44.7MB

Download
memory/3328-7-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-8-0x00000000001D0000-0x0000000002E78000-memory.dmp

Filesize
44.7MB

Download
memory/3328-13-0x0000000002E80000-0x0000000002EBE000-memory.dmp

Filesize
248KB

Download
memory/3328-14-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-27-0x0000000002EF0000-0x0000000002F14000-memory.dmp

Filesize
144KB

Download
memory/3328-6-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-2-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-15-0x000002873D560000-0x000002873D58C000-memory.dmp

Filesize
176KB

Download
memory/3328-32-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/3328-33-0x000002873D5D0000-0x000002873D5E6000-memory.dmp

Filesize
88KB

Download
memory/3328-40-0x0000000003290000-0x000000000351E000-memory.dmp

Filesize
2.6MB

Download
memory/3328-39-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-37-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-1-0x00007FFD9980D000-0x00007FFD9980E000-memory.dmp

Filesize
4KB

Download
memory/3328-45-0x0000000003000000-0x00000000030B0000-memory.dmp

Filesize
704KB

Download
memory/3328-50-0x0000028758240000-0x00000287582B6000-memory.dmp

Filesize
472KB

Download
memory/3328-52-0x00007FFD99770000-0x00007FFD99965000-memory.dmp

Filesize
2.0MB

Download
memory/3328-22-0x00007FFD8A660000-0x00007FFD8A7AE000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads