d739c8297f94d88e014667e5e115521ada6aaad7f248a8e6a0f3e15612513c83

General

Target

46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
Size

616KB
MD5

46a1efd85ea6d9faf9cb018e27448a42
SHA1

0a26f1fbe712a6de21dc1c7cac5e2a86f0f60674
SHA256

d739c8297f94d88e014667e5e115521ada6aaad7f248a8e6a0f3e15612513c83
SHA512

99eab08d1e868f73f70fa0d34cead99349a1984d486a03413d5ac7fd7c674c6a0fe91ca3a8d0df362efdcf7bf83451cd554d59cb4873666df4c67491fae86098
SSDEEP

6144:+CVf8/j9ks/0AvfkYfRPIz/FD++mUGPVRgZZi8nXZdjend/pTr:VVf8/j9ks/TxfaePOpy

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	svchss.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Update System = "C:\\Users\\Admin\\AppData\\Roaming\\svchss.exe"	svchss.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	svchss.exe
2512	svchss.exe

Loads dropped DLL 3 IoCs

pid	Process
2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
1988	svchss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update System = "C:\\Users\\Admin\\AppData\\Roaming\\svchss.exe"	svchss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update System = "C:\\Users\\Admin\\AppData\\Roaming\\svchss.exe"	svchss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 1988 set thread context of 2512	1988	svchss.exe	32

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
2512	svchss.exe
2512	svchss.exe
2512	svchss.exe
2512	svchss.exe
2512	svchss.exe
2512	svchss.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
1988	svchss.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2356	2316	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	30
PID 2356 wrote to memory of 1988	2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	31
PID 2356 wrote to memory of 1988	2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	31
PID 2356 wrote to memory of 1988	2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	31
PID 2356 wrote to memory of 1988	2356	46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe	31
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32
PID 1988 wrote to memory of 2512	1988	svchss.exe	32

C:\Users\Admin\AppData\Local\Temp\46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\46a1efd85ea6d9faf9cb018e27448a42_JaffaCakes118.exe
  False
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Roaming\svchss.exe
    "C:\Users\Admin\AppData\Roaming\svchss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Users\Admin\AppData\Roaming\svchss.exe
      False
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\svchss.exe

Filesize
616KB

MD5
46a1efd85ea6d9faf9cb018e27448a42

SHA1
0a26f1fbe712a6de21dc1c7cac5e2a86f0f60674

SHA256
d739c8297f94d88e014667e5e115521ada6aaad7f248a8e6a0f3e15612513c83

SHA512
99eab08d1e868f73f70fa0d34cead99349a1984d486a03413d5ac7fd7c674c6a0fe91ca3a8d0df362efdcf7bf83451cd554d59cb4873666df4c67491fae86098

Download Submit
memory/2356-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2356-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2356-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-32-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-27-0x0000000000230000-0x000000000023B000-memory.dmp

Filesize
44KB

Download
memory/2512-25-0x0000000000230000-0x000000000023B000-memory.dmp

Filesize
44KB

Download
memory/2512-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-41-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-42-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-44-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads