1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928

General

Target

924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Size

679KB
MD5

924e5824014d9c8fc0eeb8ff7bad9d7d
SHA1

1e902c04f0cdbc9a96049a5713050474baf907d0
SHA256

1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928
SHA512

099dc55d4d67fe3e4e4071a51371c4ef1e14c2347fedfa8643f8bd39a79740b610fbbb775cfad2a82168eff12f02d507c3fe5f81d88a3ad98418069673e8771a
SSDEEP

12288:XQXYPcOvIuaxg1ms5S1hq3JonqMxFGlWARHT2Pn:X53vTPckMh5UlWcCPn

Score

7^/10

agilenet

Malware Config

Signatures

Drops startup file 9 IoCs

Processes:

cmd.execmd.execmd.exescvhost.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.lnk	scvhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe

Executes dropped EXE 10 IoCs

Processes:

scvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exe

pid	process
2640	scvhost.exe
1640	scvhost.exe
2116	scvhost.exe
388	scvhost.exe
1428	scvhost.exe
956	scvhost.exe
1864	scvhost.exe
2744	scvhost.exe
3016	scvhost.exe
1760	scvhost.exe

Loads dropped DLL 4 IoCs

Processes:

scvhost.exescvhost.exescvhost.exescvhost.exe

pid process

2640 scvhost.exe
1640 scvhost.exe
1428 scvhost.exe
2744 scvhost.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2256-3-0x00000000001F0000-0x0000000000228000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

scvhost.exescvhost.exe

description	pid	process	target process
PID 2640 set thread context of 1640	2640	scvhost.exe	scvhost.exe
PID 388 set thread context of 1428	388	scvhost.exe	scvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1356 PING.EXE
656 PING.EXE
2476 PING.EXE

pid	process
1356	PING.EXE
656	PING.EXE
2476	PING.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exe

description	pid	process
Token: SeDebugPrivilege	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	scvhost.exe
Token: SeDebugPrivilege	1640	scvhost.exe
Token: SeDebugPrivilege	2116	scvhost.exe
Token: SeDebugPrivilege	388	scvhost.exe
Token: SeDebugPrivilege	1428	scvhost.exe
Token: SeDebugPrivilege	956	scvhost.exe
Token: SeDebugPrivilege	2744	scvhost.exe
Token: SeDebugPrivilege	3016	scvhost.exe
Token: SeDebugPrivilege	1760	scvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exeexplorer.exescvhost.exescvhost.execmd.exescvhost.exeexplorer.exescvhost.exescvhost.execmd.exe

description	pid	process	target process
PID 2256 wrote to memory of 2700	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2700	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2700	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2700	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 2256 wrote to memory of 2216	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 2256 wrote to memory of 2216	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 2256 wrote to memory of 2216	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 2256 wrote to memory of 2216	2256	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 2776 wrote to memory of 2640	2776	explorer.exe	scvhost.exe
PID 2776 wrote to memory of 2640	2776	explorer.exe	scvhost.exe
PID 2776 wrote to memory of 2640	2776	explorer.exe	scvhost.exe
PID 2776 wrote to memory of 2640	2776	explorer.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 2640 wrote to memory of 1640	2640	scvhost.exe	scvhost.exe
PID 1640 wrote to memory of 2116	1640	scvhost.exe	scvhost.exe
PID 1640 wrote to memory of 2116	1640	scvhost.exe	scvhost.exe
PID 1640 wrote to memory of 2116	1640	scvhost.exe	scvhost.exe
PID 1640 wrote to memory of 2116	1640	scvhost.exe	scvhost.exe
PID 1640 wrote to memory of 1544	1640	scvhost.exe	cmd.exe
PID 1640 wrote to memory of 1544	1640	scvhost.exe	cmd.exe
PID 1640 wrote to memory of 1544	1640	scvhost.exe	cmd.exe
PID 1640 wrote to memory of 1544	1640	scvhost.exe	cmd.exe
PID 1544 wrote to memory of 1356	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 1356	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 1356	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 1356	1544	cmd.exe	PING.EXE
PID 2116 wrote to memory of 1908	2116	scvhost.exe	cmd.exe
PID 2116 wrote to memory of 1908	2116	scvhost.exe	cmd.exe
PID 2116 wrote to memory of 1908	2116	scvhost.exe	cmd.exe
PID 2116 wrote to memory of 1908	2116	scvhost.exe	cmd.exe
PID 2116 wrote to memory of 1528	2116	scvhost.exe	explorer.exe
PID 2116 wrote to memory of 1528	2116	scvhost.exe	explorer.exe
PID 2116 wrote to memory of 1528	2116	scvhost.exe	explorer.exe
PID 2116 wrote to memory of 1528	2116	scvhost.exe	explorer.exe
PID 1800 wrote to memory of 388	1800	explorer.exe	scvhost.exe
PID 1800 wrote to memory of 388	1800	explorer.exe	scvhost.exe
PID 1800 wrote to memory of 388	1800	explorer.exe	scvhost.exe
PID 1800 wrote to memory of 388	1800	explorer.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 388 wrote to memory of 1428	388	scvhost.exe	scvhost.exe
PID 1428 wrote to memory of 956	1428	scvhost.exe	scvhost.exe
PID 1428 wrote to memory of 956	1428	scvhost.exe	scvhost.exe
PID 1428 wrote to memory of 956	1428	scvhost.exe	scvhost.exe
PID 1428 wrote to memory of 956	1428	scvhost.exe	scvhost.exe
PID 1428 wrote to memory of 2104	1428	scvhost.exe	cmd.exe
PID 1428 wrote to memory of 2104	1428	scvhost.exe	cmd.exe
PID 1428 wrote to memory of 2104	1428	scvhost.exe	cmd.exe
PID 1428 wrote to memory of 2104	1428	scvhost.exe	cmd.exe
PID 2104 wrote to memory of 656	2104	cmd.exe	PING.EXE
PID 2104 wrote to memory of 656	2104	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Drops startup file
PID:2700

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
PID:2216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
- Drops startup file
PID:1908

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:1356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
- Drops startup file
PID:2208

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1588

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
- Drops startup file
PID:1268

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
4⤵
PID:2532

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:2476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2812

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
Filesize
679KB

MD5
924e5824014d9c8fc0eeb8ff7bad9d7d

SHA1
1e902c04f0cdbc9a96049a5713050474baf907d0

SHA256
1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928

SHA512
099dc55d4d67fe3e4e4071a51371c4ef1e14c2347fedfa8643f8bd39a79740b610fbbb775cfad2a82168eff12f02d507c3fe5f81d88a3ad98418069673e8771a

Download Submit
memory/388-32-0x0000000000AD0000-0x0000000000B80000-memory.dmp

Filesize
704KB

Download
memory/956-45-0x0000000000180000-0x0000000000230000-memory.dmp

Filesize
704KB

Download
memory/1428-37-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1428-35-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1640-18-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1640-20-0x0000000000570000-0x0000000000598000-memory.dmp

Filesize
160KB

Download
memory/1640-19-0x0000000000F50000-0x0000000000FFE000-memory.dmp

Filesize
696KB

Download
memory/1640-16-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1640-14-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1640-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1760-80-0x0000000000270000-0x0000000000320000-memory.dmp

Filesize
704KB

Download
memory/1864-52-0x0000000072760000-0x0000000072E4E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-2-0x0000000006FD0000-0x0000000007078000-memory.dmp

Filesize
672KB

Download
memory/2256-8-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-4-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2256-3-0x00000000001F0000-0x0000000000228000-memory.dmp

Filesize
224KB

Download
memory/2256-1-0x0000000000990000-0x0000000000A40000-memory.dmp

Filesize
704KB

Download
memory/2256-5-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-0-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2640-11-0x00000000012C0000-0x0000000001370000-memory.dmp

Filesize
704KB

Download
memory/2744-67-0x00000000000D0000-0x0000000000126000-memory.dmp

Filesize
344KB

Download
memory/2744-64-0x00000000000D0000-0x0000000000126000-memory.dmp

Filesize
344KB

Download
memory/2744-60-0x00000000000D0000-0x0000000000126000-memory.dmp

Filesize
344KB

Download
memory/3016-75-0x0000000001350000-0x0000000001400000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads