c8e172c2aa134a995cf449c22fc72d552dfe82ee50562a5ae6d63fc716593104

General

Target

60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
Size

692KB
MD5

60476c892ca790e28f8aaf1f56b50518
SHA1

157ba2fcd7f004aa0d6b2c266edab867f374cea8
SHA256

c8e172c2aa134a995cf449c22fc72d552dfe82ee50562a5ae6d63fc716593104
SHA512

db27ddfa7432f437ef9ba2bc80bffa84a20911f3dbf373b9a4867e809e2cf0d7f95b7b8d3765ebabe521771acb52021f942ad62f295b868951bb89d842f7550d
SSDEEP

6144:mw2VnAKP8AcO/t4JRPB/Wsw7epczK7mYYVce4H8bE11VORe/mOAH6gdJmw9Sq+l6:z2j8PdxB/Ws64vmQ11Vf/mOAHXL8ll6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	svchcst.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcomtr = "C:\\WINDOWS\\system32\\svchcst.exe"	regedit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchcst.exe	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\reg.reg	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1800	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
2540	svchcst.exe
2540	svchcst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2540	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2540	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2540	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2540	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	30
PID 3032 wrote to memory of 2712	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2712	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2712	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2712	3032	60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2176	2540	svchcst.exe	34
PID 2540 wrote to memory of 2176	2540	svchcst.exe	34
PID 2540 wrote to memory of 2176	2540	svchcst.exe	34
PID 2540 wrote to memory of 2176	2540	svchcst.exe	34
PID 2176 wrote to memory of 1800	2176	cmd.exe	36
PID 2176 wrote to memory of 1800	2176	cmd.exe	36
PID 2176 wrote to memory of 1800	2176	cmd.exe	36
PID 2176 wrote to memory of 1800	2176	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60476c892ca790e28f8aaf1f56b50518_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\svchcst.exe
  "C:\Windows\system32\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit -s C:\Windows\reg.reg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\regedit.exe
      regedit -s C:\Windows\reg.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ .bat" "
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ .bat

Filesize
137B

MD5
91031b1ce91d7ebfeedba7549c7d77de

SHA1
2796c5e42a7a2467f8e02f17fa9812a3470a861b

SHA256
ebe2f95753a116102898b90dab09a7287d7d61e22e2c541e93482201c0f6c396

SHA512
77e04e3f6016a52a8637b7dfe5f21af99f40cab78be38e6bf01b5887827da4e6240d4f3ebac977b1190fcebb428e6e03f3b242cb69764dc9f374d58fbe756420

Download Submit
C:\Windows\reg.reg

Filesize
154B

MD5
d00bcc58dfddbb4cce3fd371c35651a2

SHA1
737b23026c9efa398127bed43aef144ad95eff45

SHA256
a776baa2520c61f8bfa3bf42ffc16acc896cea78af8ae0b896598bb0f075b251

SHA512
a01d95437b4675d79b8dbe7bb35b7dd982f7093ba979eb735ed1802a7d5c19dc2e494ef86f846767be858fec1ee3dba9f79dd962eb21fb5282290edde60d142c

Download Submit
\Windows\SysWOW64\svchcst.exe

Filesize
692KB

MD5
60476c892ca790e28f8aaf1f56b50518

SHA1
157ba2fcd7f004aa0d6b2c266edab867f374cea8

SHA256
c8e172c2aa134a995cf449c22fc72d552dfe82ee50562a5ae6d63fc716593104

SHA512
db27ddfa7432f437ef9ba2bc80bffa84a20911f3dbf373b9a4867e809e2cf0d7f95b7b8d3765ebabe521771acb52021f942ad62f295b868951bb89d842f7550d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads