1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928

General

Target

924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Size

679KB
MD5

924e5824014d9c8fc0eeb8ff7bad9d7d
SHA1

1e902c04f0cdbc9a96049a5713050474baf907d0
SHA256

1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928
SHA512

099dc55d4d67fe3e4e4071a51371c4ef1e14c2347fedfa8643f8bd39a79740b610fbbb775cfad2a82168eff12f02d507c3fe5f81d88a3ad98418069673e8771a
SSDEEP

12288:XQXYPcOvIuaxg1ms5S1hq3JonqMxFGlWARHT2Pn:X53vTPckMh5UlWcCPn

Score

7^/10

agilenet

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

scvhost.exescvhost.exescvhost.exe924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exescvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	scvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	scvhost.exe

Drops startup file 7 IoCs

Processes:

cmd.execmd.execmd.exescvhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.lnk	scvhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

scvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exe

pid process

4404 scvhost.exe
4576 scvhost.exe
4988 scvhost.exe
2164 scvhost.exe
3944 scvhost.exe
4284 scvhost.exe
3696 scvhost.exe
1768 scvhost.exe

pid	process
4404	scvhost.exe
4576	scvhost.exe
4988	scvhost.exe
2164	scvhost.exe
3944	scvhost.exe
4284	scvhost.exe
3696	scvhost.exe
1768	scvhost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/332-6-0x0000000007FF0000-0x0000000008028000-memory.dmp	agile_net
behavioral2/memory/4404-16-0x00000000073F0000-0x0000000007428000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

scvhost.exescvhost.exescvhost.exe

description	pid	process	target process
PID 4404 set thread context of 4576	4404	scvhost.exe	scvhost.exe
PID 2164 set thread context of 3944	2164	scvhost.exe	scvhost.exe
PID 3696 set thread context of 1768	3696	scvhost.exe	scvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4812 PING.EXE
2940 PING.EXE

pid	process
4812	PING.EXE
2940	PING.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exescvhost.exe

description	pid	process
Token: SeDebugPrivilege	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
Token: SeDebugPrivilege	4404	scvhost.exe
Token: SeDebugPrivilege	4576	scvhost.exe
Token: SeDebugPrivilege	4988	scvhost.exe
Token: SeDebugPrivilege	2164	scvhost.exe
Token: SeDebugPrivilege	3944	scvhost.exe
Token: SeDebugPrivilege	4284	scvhost.exe
Token: SeDebugPrivilege	3696	scvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exeexplorer.exescvhost.exescvhost.execmd.exescvhost.exeexplorer.exescvhost.exescvhost.execmd.exescvhost.exeexplorer.exescvhost.exe

description	pid	process	target process
PID 332 wrote to memory of 4020	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 332 wrote to memory of 4020	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 332 wrote to memory of 4020	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	cmd.exe
PID 332 wrote to memory of 4072	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 332 wrote to memory of 4072	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 332 wrote to memory of 4072	332	924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe	explorer.exe
PID 2688 wrote to memory of 4404	2688	explorer.exe	scvhost.exe
PID 2688 wrote to memory of 4404	2688	explorer.exe	scvhost.exe
PID 2688 wrote to memory of 4404	2688	explorer.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4404 wrote to memory of 4576	4404	scvhost.exe	scvhost.exe
PID 4576 wrote to memory of 4988	4576	scvhost.exe	scvhost.exe
PID 4576 wrote to memory of 4988	4576	scvhost.exe	scvhost.exe
PID 4576 wrote to memory of 4988	4576	scvhost.exe	scvhost.exe
PID 4576 wrote to memory of 4480	4576	scvhost.exe	cmd.exe
PID 4576 wrote to memory of 4480	4576	scvhost.exe	cmd.exe
PID 4576 wrote to memory of 4480	4576	scvhost.exe	cmd.exe
PID 4480 wrote to memory of 4812	4480	cmd.exe	PING.EXE
PID 4480 wrote to memory of 4812	4480	cmd.exe	PING.EXE
PID 4480 wrote to memory of 4812	4480	cmd.exe	PING.EXE
PID 4988 wrote to memory of 2220	4988	scvhost.exe	cmd.exe
PID 4988 wrote to memory of 2220	4988	scvhost.exe	cmd.exe
PID 4988 wrote to memory of 2220	4988	scvhost.exe	cmd.exe
PID 4988 wrote to memory of 1100	4988	scvhost.exe	explorer.exe
PID 4988 wrote to memory of 1100	4988	scvhost.exe	explorer.exe
PID 4988 wrote to memory of 1100	4988	scvhost.exe	explorer.exe
PID 2296 wrote to memory of 2164	2296	explorer.exe	scvhost.exe
PID 2296 wrote to memory of 2164	2296	explorer.exe	scvhost.exe
PID 2296 wrote to memory of 2164	2296	explorer.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 2164 wrote to memory of 3944	2164	scvhost.exe	scvhost.exe
PID 3944 wrote to memory of 4284	3944	scvhost.exe	scvhost.exe
PID 3944 wrote to memory of 4284	3944	scvhost.exe	scvhost.exe
PID 3944 wrote to memory of 4284	3944	scvhost.exe	scvhost.exe
PID 3944 wrote to memory of 3348	3944	scvhost.exe	cmd.exe
PID 3944 wrote to memory of 3348	3944	scvhost.exe	cmd.exe
PID 3944 wrote to memory of 3348	3944	scvhost.exe	cmd.exe
PID 3348 wrote to memory of 2940	3348	cmd.exe	PING.EXE
PID 3348 wrote to memory of 2940	3348	cmd.exe	PING.EXE
PID 3348 wrote to memory of 2940	3348	cmd.exe	PING.EXE
PID 4284 wrote to memory of 2816	4284	scvhost.exe	cmd.exe
PID 4284 wrote to memory of 2816	4284	scvhost.exe	cmd.exe
PID 4284 wrote to memory of 2816	4284	scvhost.exe	cmd.exe
PID 4284 wrote to memory of 1684	4284	scvhost.exe	explorer.exe
PID 4284 wrote to memory of 1684	4284	scvhost.exe	explorer.exe
PID 4284 wrote to memory of 1684	4284	scvhost.exe	explorer.exe
PID 2960 wrote to memory of 3696	2960	explorer.exe	scvhost.exe
PID 2960 wrote to memory of 3696	2960	explorer.exe	scvhost.exe
PID 2960 wrote to memory of 3696	2960	explorer.exe	scvhost.exe
PID 3696 wrote to memory of 1768	3696	scvhost.exe	scvhost.exe
PID 3696 wrote to memory of 1768	3696	scvhost.exe	scvhost.exe
PID 3696 wrote to memory of 1768	3696	scvhost.exe	scvhost.exe

C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\924e5824014d9c8fc0eeb8ff7bad9d7d_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Drops startup file
PID:4020

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
PID:4072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
- Drops startup file
PID:2220

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:3776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe
"C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\scvhost\scvhost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
- Drops startup file
PID:2816

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
5⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:2940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe"
3⤵
- Executes dropped EXE
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scvhost.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvhost.exe
Filesize
679KB

MD5
924e5824014d9c8fc0eeb8ff7bad9d7d

SHA1
1e902c04f0cdbc9a96049a5713050474baf907d0

SHA256
1e064eb8c153c57a0b0d5c0d4a5e95195955c764044f46412ebb8c00040e1928

SHA512
099dc55d4d67fe3e4e4071a51371c4ef1e14c2347fedfa8643f8bd39a79740b610fbbb775cfad2a82168eff12f02d507c3fe5f81d88a3ad98418069673e8771a

Download Submit
memory/332-13-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/332-2-0x0000000007B60000-0x0000000007C08000-memory.dmp

Filesize
672KB

Download
memory/332-4-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/332-5-0x0000000007F50000-0x0000000007FE2000-memory.dmp

Filesize
584KB

Download
memory/332-6-0x0000000007FF0000-0x0000000008028000-memory.dmp

Filesize
224KB

Download
memory/332-7-0x00000000057C0000-0x00000000057C6000-memory.dmp

Filesize
24KB

Download
memory/332-8-0x00000000081A0000-0x00000000081AA000-memory.dmp

Filesize
40KB

Download
memory/332-9-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/332-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/332-3-0x0000000008400000-0x00000000089A4000-memory.dmp

Filesize
5.6MB

Download
memory/332-1-0x0000000000CE0000-0x0000000000D90000-memory.dmp

Filesize
704KB

Download
memory/3944-46-0x0000000006DB0000-0x0000000006DC8000-memory.dmp

Filesize
96KB

Download
memory/4404-18-0x0000000006760000-0x00000000067FC000-memory.dmp

Filesize
624KB

Download
memory/4404-16-0x00000000073F0000-0x0000000007428000-memory.dmp

Filesize
224KB

Download
memory/4576-23-0x0000000000600000-0x0000000000656000-memory.dmp

Filesize
344KB

Download
memory/4576-24-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/4576-25-0x0000000004C80000-0x0000000004D2E000-memory.dmp

Filesize
696KB

Download
memory/4576-26-0x0000000000B00000-0x0000000000B28000-memory.dmp

Filesize
160KB

Download
memory/4576-27-0x00000000066D0000-0x0000000006736000-memory.dmp

Filesize
408KB

Download
memory/4576-28-0x0000000006E40000-0x0000000006E58000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads