8bee8207e0edcd1c7f1bed14f86735bad871275aa82ac2d0c504280da16811da

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe
Size

1.9MB
MD5

381f25f63ee848fd857d7e0c0cb70b4b
SHA1

bdf8876f3c24f67821d82baac2b2bf23dcf739d8
SHA256

8bee8207e0edcd1c7f1bed14f86735bad871275aa82ac2d0c504280da16811da
SHA512

e2b56f8fce4e8da2f36ac9526a0315ae970a9484afd672fa2c5cc3cd8335c225c2d33a64613bb8d91f57c4103446592e08a0f27d7b7707826422f1de34dd3908
SSDEEP

24576:hoKtDF9Wc/raYKAVvy4fW0YjVbbTe6YCFfQYMC8o3vv8SNL+2FwAUiy3O+MB7XQd:SK4cZFyez2bbTogtHlpLDysftlmpZRrR

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 12 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\abopxyzqa.sys	vtqcay.exe
File created	C:\Windows\SysWOW64\drivers\beep.sys	BEAR.EXE

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spml_set.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyICE.EXE\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyICE.EXE	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwstub.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavXP.exe	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\debugger = "ntsd -d"	vtqcay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavCopy.exe	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\debugger = "ntsd -d"	vtqcay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\debugger = "ntsd -d"	vtqcay.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3624	BEAR.EXE
3712	pep.exe
2752	vtqcay.exe

Loads dropped DLL 2 IoCs

pid	Process
3712	pep.exe
3712	pep.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vtqcay.exe	BEAR.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\BEAR.EXE	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe
File created	C:\Program Files\pep.exe	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00090000000234dd-37.dat	nsis_installer_1
behavioral2/files/0x00090000000234dd-37.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:"	spoolsv.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
2752	vtqcay.exe
3624	BEAR.EXE
2752	vtqcay.exe
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
3624	BEAR.EXE
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe
2752	vtqcay.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	BEAR.EXE
Token: SeDebugPrivilege	2752	vtqcay.exe
Token: SeTakeOwnershipPrivilege	3624	BEAR.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3624	4928	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe	86
PID 4928 wrote to memory of 3624	4928	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe	86
PID 4928 wrote to memory of 3624	4928	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe	86
PID 4928 wrote to memory of 3712	4928	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe	88
PID 4928 wrote to memory of 3712	4928	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe	88
PID 4928 wrote to memory of 3712	4928	381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe	88
PID 3624 wrote to memory of 2752	3624	BEAR.EXE	89
PID 3624 wrote to memory of 2752	3624	BEAR.EXE	89
PID 3624 wrote to memory of 2752	3624	BEAR.EXE	89
PID 3624 wrote to memory of 4356	3624	BEAR.EXE	91
PID 3624 wrote to memory of 4356	3624	BEAR.EXE	91
PID 3624 wrote to memory of 4356	3624	BEAR.EXE	91

C:\Users\Admin\AppData\Local\Temp\381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\381f25f63ee848fd857d7e0c0cb70b4b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Program Files\BEAR.EXE
  "C:\Program Files\BEAR.EXE"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\SysWOW64\vtqcay.exe
    C:\Windows\system32\vtqcay.exe
    3⤵
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\_uniep.bat
    3⤵
    PID:4356
- C:\Program Files\pep.exe
  "C:\Program Files\pep.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3712

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\BEAR.EXE

Filesize
168KB

MD5
2163e9b597a754e0f59d72b154fc1cc7

SHA1
27ff1faed18ccadbd02df88495d10ed007a3c729

SHA256
31a2dd4633a04c4acdd97f6fffbb1aa607a5a7ac41f434e1e5c757d5900e707e

SHA512
2e271a78248e5ed62f0707f64f715bdf19334144d8598ffb99539779c1725b688b5b28df845500c3b89346e308b4347073312b37209ebc660c787c24f65213fa

Download Submit
C:\Program Files\pep.exe

Filesize
1.7MB

MD5
cfda9c8171425aa7b205244d58bb7340

SHA1
a965c3621c7d22c341d14eb70268f4ab414dcda8

SHA256
61ed11474d4a545764c81edc0a606c95534de929703f702010e680742f347ad1

SHA512
f07a838d4662c718a7315d67bad37da3d938340e5f2de790c18375bba3c7ba51e99287d26b25591e19eb61d898a4aa72fc3426ebebf5afe05d0366c2d3bd0095

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDB7D.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDB7D.tmp\LangDLL.dll

Filesize
5KB

MD5
8c909780802ac2097ea4132e6375acd2

SHA1
b35fbda0725d7c66281d5c340b53eb5d54922583

SHA256
c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f

SHA512
e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdDB7D.tmp\ioSpecial.ini

Filesize
747B

MD5
9f0d86b629aac45c98cffaf014441e81

SHA1
a4661bbce65f4cdd548e001701af0ea24ecca332

SHA256
2fd834f0b1160f4476a76e8c40fa1c24c1b56fee32979a2c39f6bce024bba566

SHA512
271bde3858bb44a7590f52cd77347c05980d6c1e14554b53c09f25f7c492516bfff21f5fc059687457760f859ca4c2b9e3ae8a0d37f901bc56d5b2fa75d08fcd

Download Submit
C:\Windows\SysWOW64\vtqcay.exe

Filesize
39KB

MD5
d11e5ea7149e20e841f76d3bde0ad860

SHA1
ef65e51af6b35b0ac4f20bfedfbb86d54cf687d5

SHA256
f07bae017a7cf4d47f754833032c5abd2e5552d0621bd9dfedfe9b9dbef5836e

SHA512
afe4151096224dfeac171347f625e42c9c011d10b9777c380a659d80765339c1464bf272946dc3207c37e4e6d9e1c65aa907f53ed645218bafe55b0dd7c2160a

Download Submit
\??\c:\_uniep.bat

Filesize
98B

MD5
5a33baac904d16bfaffa3b5c88462eda

SHA1
79bf8278f4acedd094d819749a5d83272b7e7fde

SHA256
b6fb4c494474fcef3588bc5969c97eea01516e7c869a58025baee87a9f5f71d5

SHA512
1ca666d0f9d7f12ff16100b01fae2d85e54dc49933b82add782de07733a412ed00833940cbbbc499c1596c208dd9681e7eb2b796d5b873befc2d49c42ed9d876

Download Submit
memory/2752-80-0x0000000000400000-0x000000000040B62A-memory.dmp

Filesize
45KB

Download
memory/2752-160-0x0000000000400000-0x000000000040B62A-memory.dmp

Filesize
45KB

Download
memory/4928-0-0x0000000000400000-0x00000000005EB079-memory.dmp

Filesize
1.9MB

Download
memory/4928-65-0x0000000000400000-0x00000000005EB079-memory.dmp

Filesize
1.9MB

Download