33175665dc003a737e982c767890412e57ea2ae96f25fd8535637f5894ff2074

General

Target

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Size

425KB
MD5

7034f17b2033bfd5ef9b0f81ce598da3
SHA1

959817c12dba46ce4e4595bf4f2374aadf52e8ef
SHA256

33175665dc003a737e982c767890412e57ea2ae96f25fd8535637f5894ff2074
SHA512

1390d2b6e58644238efb174f7b2726a5152e5b183dbbe4c02b0cacf796309df24c5e9bc4a4f26f1c525ae863f353020dcd6a63fa84afa6448072df87199a07c4
SSDEEP

6144:PqhlBy1+NR0frxdc6Dps/ep5NKWNzYXPAA5+VUbvpQhcHGBeBZq6wbTHK+5URA:PAlBpNR0fHcoNKWN7AQKG8BCbTHD9

Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Signatures

Contacts a large (13274) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

328 bcdedit.exe
2168 bcdedit.exe

pid	process
328	bcdedit.exe
2168	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	upnpcont.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1628 cmd.exe

pid	process
1628	cmd.exe

Drops startup file 1 IoCs

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\upnpcont.lnk	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

upnpcont.exe

pid process

2948 upnpcont.exe
Loads dropped DLL 2 IoCs

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exe

pid process

2944 7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
2948 upnpcont.exe

pid	process
2948	upnpcont.exe

pid	process
2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
2948	upnpcont.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	upnpcont.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upnpcont = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	upnpcont.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2052 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2592 taskkill.exe

flow	ioc
3	ipinfo.io

pid	process
2052	vssadmin.exe

pid	process
2592	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exeupnpcont.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop	upnpcont.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\\upnpcont.exe\""	upnpcont.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1648 PING.EXE

pid	process
1648	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exetaskkill.exeupnpcont.exevssvc.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2948	upnpcont.exe
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1708	wmic.exe
Token: SeSecurityPrivilege	1708	wmic.exe
Token: SeTakeOwnershipPrivilege	1708	wmic.exe
Token: SeLoadDriverPrivilege	1708	wmic.exe
Token: SeSystemProfilePrivilege	1708	wmic.exe
Token: SeSystemtimePrivilege	1708	wmic.exe
Token: SeProfSingleProcessPrivilege	1708	wmic.exe
Token: SeIncBasePriorityPrivilege	1708	wmic.exe
Token: SeCreatePagefilePrivilege	1708	wmic.exe
Token: SeBackupPrivilege	1708	wmic.exe
Token: SeRestorePrivilege	1708	wmic.exe
Token: SeShutdownPrivilege	1708	wmic.exe
Token: SeDebugPrivilege	1708	wmic.exe
Token: SeSystemEnvironmentPrivilege	1708	wmic.exe
Token: SeRemoteShutdownPrivilege	1708	wmic.exe
Token: SeUndockPrivilege	1708	wmic.exe
Token: SeManageVolumePrivilege	1708	wmic.exe
Token: 33	1708	wmic.exe
Token: 34	1708	wmic.exe
Token: 35	1708	wmic.exe
Token: SeIncreaseQuotaPrivilege	1708	wmic.exe
Token: SeSecurityPrivilege	1708	wmic.exe
Token: SeTakeOwnershipPrivilege	1708	wmic.exe
Token: SeLoadDriverPrivilege	1708	wmic.exe
Token: SeSystemProfilePrivilege	1708	wmic.exe
Token: SeSystemtimePrivilege	1708	wmic.exe
Token: SeProfSingleProcessPrivilege	1708	wmic.exe
Token: SeIncBasePriorityPrivilege	1708	wmic.exe
Token: SeCreatePagefilePrivilege	1708	wmic.exe
Token: SeBackupPrivilege	1708	wmic.exe
Token: SeRestorePrivilege	1708	wmic.exe
Token: SeShutdownPrivilege	1708	wmic.exe
Token: SeDebugPrivilege	1708	wmic.exe
Token: SeSystemEnvironmentPrivilege	1708	wmic.exe
Token: SeRemoteShutdownPrivilege	1708	wmic.exe
Token: SeUndockPrivilege	1708	wmic.exe
Token: SeManageVolumePrivilege	1708	wmic.exe
Token: 33	1708	wmic.exe
Token: 34	1708	wmic.exe
Token: 35	1708	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.execmd.exeupnpcont.exe

description	pid	process	target process
PID 2944 wrote to memory of 2948	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	upnpcont.exe
PID 2944 wrote to memory of 2948	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	upnpcont.exe
PID 2944 wrote to memory of 2948	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	upnpcont.exe
PID 2944 wrote to memory of 2948	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	upnpcont.exe
PID 2944 wrote to memory of 1628	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 1628	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 1628	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	cmd.exe
PID 2944 wrote to memory of 1628	2944	7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe	cmd.exe
PID 1628 wrote to memory of 2592	1628	cmd.exe	taskkill.exe
PID 1628 wrote to memory of 2592	1628	cmd.exe	taskkill.exe
PID 1628 wrote to memory of 2592	1628	cmd.exe	taskkill.exe
PID 1628 wrote to memory of 2592	1628	cmd.exe	taskkill.exe
PID 1628 wrote to memory of 1648	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1648	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1648	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1648	1628	cmd.exe	PING.EXE
PID 2948 wrote to memory of 2052	2948	upnpcont.exe	vssadmin.exe
PID 2948 wrote to memory of 2052	2948	upnpcont.exe	vssadmin.exe
PID 2948 wrote to memory of 2052	2948	upnpcont.exe	vssadmin.exe
PID 2948 wrote to memory of 2052	2948	upnpcont.exe	vssadmin.exe
PID 2948 wrote to memory of 1708	2948	upnpcont.exe	wmic.exe
PID 2948 wrote to memory of 1708	2948	upnpcont.exe	wmic.exe
PID 2948 wrote to memory of 1708	2948	upnpcont.exe	wmic.exe
PID 2948 wrote to memory of 1708	2948	upnpcont.exe	wmic.exe
PID 2948 wrote to memory of 328	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 328	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 328	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 328	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 2168	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 2168	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 2168	2948	upnpcont.exe	bcdedit.exe
PID 2948 wrote to memory of 2168	2948	upnpcont.exe	bcdedit.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\upnpcont.exe
"C:\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\upnpcont.exe"
2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2052

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:328

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2168

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /t /f /im "7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe" > NUL
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im "7034f17b2033bfd5ef9b0f81ce598da3_JaffaCakes118.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Network Service Discovery

2

T1046

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\upnpcont.lnk
Filesize
1KB

MD5
d3dce7b417b4d1743c5245889711ffaa

SHA1
708343bd6c0b9d0765bbb855fe05cadac2610e61

SHA256
4898639d315b01c67d8cf02f6827df799892e530d259da92b60aaf0983aab5b6

SHA512
fcee40beca3ee63fb669ca2b11b8dd53870b0bc074295eb04494815f084162bf297eab193ed44e3981d09988328b919b04237db32cf9d82138690635de08c768

Download Submit
\Users\Admin\AppData\Roaming\{B4D97F26-2571-67E6-FEC3-BCB500FF708F}\upnpcont.exe
Filesize
425KB

MD5
7034f17b2033bfd5ef9b0f81ce598da3

SHA1
959817c12dba46ce4e4595bf4f2374aadf52e8ef

SHA256
33175665dc003a737e982c767890412e57ea2ae96f25fd8535637f5894ff2074

SHA512
1390d2b6e58644238efb174f7b2726a5152e5b183dbbe4c02b0cacf796309df24c5e9bc4a4f26f1c525ae863f353020dcd6a63fa84afa6448072df87199a07c4

Download Submit
memory/2944-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2944-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2948-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2948-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads