76869418b743d0c1c2ff4241f62f2ae0c63af1233dfb577eb71baad3be896f96

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Size

124KB
MD5

16f902491090535d69774895fde63bf4
SHA1

f7273cac1b3ed08cc15275a5eb3a6771daa6b91b
SHA256

76869418b743d0c1c2ff4241f62f2ae0c63af1233dfb577eb71baad3be896f96
SHA512

1a32ec1437b121956a0a366ffa93511b42c17a59b032333482fa5eea5b462805772f02014a808a95f7dca48e050d23cd5c4305a67c37624c4441acafe12ac691
SSDEEP

1536:ylUNYw+Awk9/0WmGOq4OroRm2oO0jYlcwrLpdUGvd:yxAws/ldrom9cDr9OG

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\IsDrv120.sys	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\IsDrv118.sys	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\IsDrv120.sys	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\IsDrv118.sys	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 26 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syssafe.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sreng.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syssafe.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sreng.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\B-A-I-D-U-C-O-M = "C:\\info.exe"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 48 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\X:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	D:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\J:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\L:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\M:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\Q:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\W:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\U:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\Y:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\R:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\T:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\X:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	D:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	F:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\V:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\W:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\Z:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\T:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\G:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\N:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\E:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\P:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\Z:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\R:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\O:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\c:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\N:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\O:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\I:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\P:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\Q:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\I:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\M:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\U:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\L:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\S:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\H:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\K:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\S:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\G:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\H:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\K:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\Y:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File created	\??\J:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\E:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	\??\V:\autorun.inf	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SysSafe.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SysSafe.exe	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baidu.com.cn/"	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1740	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe	28
PID 2116 wrote to memory of 1740	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe	28
PID 2116 wrote to memory of 1740	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe	28
PID 2116 wrote to memory of 1740	2116	16f902491090535d69774895fde63bf4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2380	1740	net.exe	30
PID 1740 wrote to memory of 2380	1740	net.exe	30
PID 1740 wrote to memory of 2380	1740	net.exe	30
PID 1740 wrote to memory of 2380	1740	net.exe	30

C:\Users\Admin\AppData\Local\Temp\16f902491090535d69774895fde63bf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16f902491090535d69774895fde63bf4_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\net.exe
  net stop cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop cryptsvc
    3⤵
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\IsDrv120.sys

Filesize
4B

MD5
e89854dfc541758037d0d9898aac114b

SHA1
352c5f759fbd5da2383af80f897e0012db3d45ed

SHA256
f015c4c4e29b4b0d404d2b8dd98be87d41bf486b711aeba13379eee5095ecbaf

SHA512
b555df0a92d57756da8887a945d1fc668b494973fe3011828e43dcf9b381a4197eaf9121010716173fea331cf3f2fea9cf85e4fb2dc550fcb32cb61448be7465

Download Submit
C:\autorun.inf

Filesize
119B

MD5
8815ca284498e1a366afbb10c60e95e9

SHA1
fb02189ab180d7d72567cf31c8ee3ed2a85dbed1

SHA256
0ef510e196e2d7432dff036164ffd3845fbb0f8cd59511a93b032e7b42c326be

SHA512
d683e4954f450296472ebfbf1fd3704e9fb1db65bf99f61d58c81dfcc5414a44bfe31198c29167c0c171bcc0e77b89e393039bb61b17b7c9d5a9803bcde5361d

Download Submit
C:\info.exe

Filesize
124KB

MD5
16f902491090535d69774895fde63bf4

SHA1
f7273cac1b3ed08cc15275a5eb3a6771daa6b91b

SHA256
76869418b743d0c1c2ff4241f62f2ae0c63af1233dfb577eb71baad3be896f96

SHA512
1a32ec1437b121956a0a366ffa93511b42c17a59b032333482fa5eea5b462805772f02014a808a95f7dca48e050d23cd5c4305a67c37624c4441acafe12ac691

Download Submit
memory/2116-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2116-359-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download