2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e

General

Target

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Size

2.2MB
MD5

8d049a60a5d45859ef538f4ffd8f5a63
SHA1

24e38f415f188dbcd8565eb2f2ea04cd5543e3bb
SHA256

2a6440c783aea184f39f5a16a120d705f5f0f01067ae795e38d87028049edb2e
SHA512

3023dfba4e816bb3fa2707db8f588b7e92d08f70d750234d5c719c9046f027ada5c94fa490b84911e874fc4061b60616c61281d7f2907ed76e716ac6cb891900
SSDEEP

49152:zNfdKKoEuMIc/D8MTfVr68c9hGo6v1EMc:zNfdKsnI4dPYn6v1E

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

REG.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	REG.exe

Disables Task Manager via registry modification
evasion

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

securenet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "svchost.exe"	securenet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	securenet.exe

Executes dropped EXE 2 IoCs

Processes:

securenet.exesecurenet.exe

pid process

2736 securenet.exe
2000 securenet.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exesecurenet.exe

pid process

2468 cmd.exe
2736 securenet.exe

pid	process
2736	securenet.exe
2000	securenet.exe

pid	process
2468	cmd.exe
2736	securenet.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exesecurenet.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	securenet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	securenet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2760 schtasks.exe

pid	process
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe

pid	process
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

securenet.exe

pid process

2736 securenet.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exesecurenet.exe

description pid process

Token: SeDebugPrivilege 1228 8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Token: SeDebugPrivilege 2736 securenet.exe

pid	process
2736	securenet.exe

description	pid	process
Token: SeDebugPrivilege	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	securenet.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.execmd.exesecurenet.exe

description	pid	process	target process
PID 1228 wrote to memory of 2584	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2584	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2584	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2584	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2760	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2760	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2760	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2760	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	schtasks.exe
PID 1228 wrote to memory of 2468	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 1228 wrote to memory of 2468	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 1228 wrote to memory of 2468	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 1228 wrote to memory of 2468	1228	8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe	cmd.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2468 wrote to memory of 2736	2468	cmd.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2000	2736	securenet.exe	securenet.exe
PID 2736 wrote to memory of 2516	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2516	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2516	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2516	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2704	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2704	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2704	2736	securenet.exe	REG.exe
PID 2736 wrote to memory of 2704	2736	securenet.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d049a60a5d45859ef538f4ffd8f5a63_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\3d79fea3-2531-4dc3-9742-5f118ab61a73" /F
2⤵
PID:2584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Update\3d79fea3-2531-4dc3-9742-5f118ab61a73" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2046763499.tmp"
2⤵
- Creates scheduled task(s)
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /K "C:\Users\Admin\AppData\Roaming\securenet.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Roaming\securenet.exe
C:\Users\Admin\AppData\Roaming\securenet.exe
3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Roaming\securenet.exe
C:\Users\Admin\AppData\Roaming\securenet.exe
4⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\REG.exe
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
PID:2516

C:\Windows\SysWOW64\REG.exe
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
4⤵
- Disables RegEdit via registry modification
PID:2704

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2046763499.tmp
Filesize
1KB

MD5
7d824a9d045db2ef083dc169e9d7e69d

SHA1
3b964a0493f5a66a330d8374026d61de1da29a44

SHA256
84db6a1e194ba03d9b2b6e7e85c4e83793dc65dd2972e009ede7d45e17109c59

SHA512
a71a3270c6b13e61008e6858c866f0cd6ebf8c01bd247413a5fcede0fe554426ef5a7ce0f85dbf6e33ba4dbe9c2b2032aa9d98995cd078f8e1f13adebb8abc30

Download Submit
C:\Users\Admin\AppData\Roaming\securenet.exe
Filesize
2.2MB

MD5
e10df5d487a574e676db071894d44420

SHA1
6143f040353e45bd83319fdfc63a1c7892d009c6

SHA256
d44fe2c8a21d57237ea789e311b6217070c86d1896b3a252936144c7051a01c8

SHA512
02d72402f0e1a53d58c525bca4355d6d99bb85193aaad4d2562cae53145d938cf10e2a683f29c00333349260be1c5862fb3540fcaaad77ca6b7bbe752739392c

Download Submit
memory/1228-0-0x0000000074741000-0x0000000074742000-memory.dmp

Filesize
4KB

Download
memory/1228-1-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-2-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-3-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-10-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1228-12-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-17-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads