298e20c29cb6da323943682d2ea4368ab8e1b1a590ee23559dd54ab081c99209

General

Target

4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
Size

99KB
MD5

4190d90c04beb8e166ae4cf628102336
SHA1

acccafbb00b1501361457cdb416b2f901bfe61c2
SHA256

298e20c29cb6da323943682d2ea4368ab8e1b1a590ee23559dd54ab081c99209
SHA512

94ad30ef8766ac80d781d4cdb5d16f0e409192f310caf016172498c087f5e57d8a08a0aa0e40eb84201cdfd99d26414e4f8969e5c7f64d26d3e485cb31f79fe0
SSDEEP

1536:zPpvda3b9cYBSIUF3JBug7ybH5VCC42sIQ5LG0lRTNei:TdGbWlI4FWrp/K5LG0lRTN

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jiahus = "c:\\windows\\system32\\svchqs.exe"	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2844	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2640	WerFault.exe	29

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 428	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 2640 wrote to memory of 2844	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2844	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2844	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2844	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2868	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2868	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2868	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2868	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2700	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2700	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2700	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	33
PID 2640 wrote to memory of 2700	2640	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	33
PID 2868 wrote to memory of 2708	2868	net.exe	35
PID 2868 wrote to memory of 2708	2868	net.exe	35
PID 2868 wrote to memory of 2708	2868	net.exe	35
PID 2868 wrote to memory of 2708	2868	net.exe	35

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\sc.exe
  sc config Schedule start= auto
  2⤵
  - Launches sc.exe
  PID:2844
- C:\Windows\SysWOW64\net.exe
  net start Schedule
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start Schedule
    3⤵
    PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 260
  2⤵
  - Program crash
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2640-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads