298e20c29cb6da323943682d2ea4368ab8e1b1a590ee23559dd54ab081c99209

General

Target

4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
Size

99KB
MD5

4190d90c04beb8e166ae4cf628102336
SHA1

acccafbb00b1501361457cdb416b2f901bfe61c2
SHA256

298e20c29cb6da323943682d2ea4368ab8e1b1a590ee23559dd54ab081c99209
SHA512

94ad30ef8766ac80d781d4cdb5d16f0e409192f310caf016172498c087f5e57d8a08a0aa0e40eb84201cdfd99d26414e4f8969e5c7f64d26d3e485cb31f79fe0
SSDEEP

1536:zPpvda3b9cYBSIUF3JBug7ybH5VCC42sIQ5LG0lRTNei:TdGbWlI4FWrp/K5LG0lRTN

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jiahus = "c:\\windows\\system32\\svchqs.exe"	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\svchqs.exe	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchqs.exe	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2460	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 612	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	5
PID 4376 wrote to memory of 2460	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	84
PID 4376 wrote to memory of 2460	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	84
PID 4376 wrote to memory of 2460	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	84
PID 4376 wrote to memory of 2072	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	85
PID 4376 wrote to memory of 2072	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	85
PID 4376 wrote to memory of 2072	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	85
PID 4376 wrote to memory of 1548	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	86
PID 4376 wrote to memory of 1548	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	86
PID 4376 wrote to memory of 1548	4376	4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe	86
PID 2072 wrote to memory of 2404	2072	net.exe	90
PID 2072 wrote to memory of 2404	2072	net.exe	90
PID 2072 wrote to memory of 2404	2072	net.exe	90

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4190d90c04beb8e166ae4cf628102336_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\sc.exe
  sc config Schedule start= auto
  2⤵
  - Launches sc.exe
  PID:2460
- C:\Windows\SysWOW64\net.exe
  net start Schedule
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start Schedule
    3⤵
    PID:2404
- C:\Windows\SysWOW64\at.exe
  at 11:58 cmd /c copy "c:\users\admin\appdata\local\temp\4190d90c04beb8e166ae4cf628102336_jaffacakes118.exe" "c:\windows\system32\svchqs.exe"
  2⤵
  PID:1548