af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3

General

Target

5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
Size

770KB
MD5

5f2aaa3458a8a94a91dd71586935b2b2
SHA1

a16221e31c960dafe501a3fca7e394d92c0e0682
SHA256

af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3
SHA512

fc3a35ba008523cb21e4006b34e5fcf7e8935471c4ccf40661737dad62f5de4acc0e83f8d7692517e93488b06290edb913a0e9f9a790c54dde06bdacb055e094
SSDEEP

12288:0krXV6E2/ZX7kGRE/E2HjwZCSBcbn68wGhQ4kkR7DaKAa9VSaQwBirzeF58Lm32:XF6E2BX4qByk4vwGhQ4w+BomWY2

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scrss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \""	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	option.exe
2992	scrss.exe

Loads dropped DLL 6 IoCs

pid	Process
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
2992	scrss.exe
2400	option.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2976	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
2992	scrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2992	scrss.exe
2400	option.exe
2400	option.exe
2400	option.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2400	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2400	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2400	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2400	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2992	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	31
PID 1872 wrote to memory of 2992	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	31
PID 1872 wrote to memory of 2992	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	31
PID 1872 wrote to memory of 2992	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	31
PID 1872 wrote to memory of 2932	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	32
PID 1872 wrote to memory of 2932	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	32
PID 1872 wrote to memory of 2932	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	32
PID 1872 wrote to memory of 2932	1872	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	32
PID 2932 wrote to memory of 2096	2932	cmd.exe	34
PID 2932 wrote to memory of 2096	2932	cmd.exe	34
PID 2932 wrote to memory of 2096	2932	cmd.exe	34
PID 2932 wrote to memory of 2096	2932	cmd.exe	34
PID 2096 wrote to memory of 2976	2096	cmd.exe	35
PID 2096 wrote to memory of 2976	2096	cmd.exe	35
PID 2096 wrote to memory of 2976	2096	cmd.exe	35
PID 2096 wrote to memory of 2976	2096	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\option.exe
  "C:\Users\Admin\AppData\Local\option.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2400
- C:\Users\Admin\AppData\Local\scrss.exe
  "C:\Users\Admin\AppData\Local\scrss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c syscheck.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Option.ini

Filesize
353B

MD5
34f21c84d701e9c9f70780e52adb1de9

SHA1
51bf0edd36084a1339551847cd016f32d500b357

SHA256
1fc5f81e15c3747611c33f26441ebd0c4f57b2baa7756d5cc718a7f8358890d2

SHA512
abbe67d3ce94a134c67fe4dc473e49f5a8fcda20d1c699196431c44bd533949c3c26e1b51a5bfd4806dbdae17adf41d479052509a147afe07b3cc30db97dd5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
168B

MD5
0d92b381efa1a49bd3cc2cf3ff28bd45

SHA1
23fac6be89436f94a4f8fca5057be514c787b9b6

SHA256
b5b5a4055d2b10d9e6af0580c28ee9099632cc36eaa946ce442f65a77ee92e84

SHA512
78b611a37cf21a0bb26204f0f3057b5d800be3c2ad8190af06725e82bdcc883473cb0087f1f7bc8c0199467d14282ea92d340421d8bf796f7e45451727f66391

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
92KB

MD5
8a5e40eb6518353e5758e5b237897c78

SHA1
dd452e565485f48c2131dadc40a32b0d3007cef6

SHA256
5f8ba5c1522847452d92b507770bfb454548d8a02232040c6be4323792400d4f

SHA512
c941b82c3bd6be61506ac9215ab8e26983a8654444703b5a0236739a3b50a498ed0c65054b68481c026123d88b0f0e9e36f92b0f0028b4cc034345ec17f3b268

Download Submit
C:\Users\Admin\AppData\Local\scrss.exe

Filesize
237KB

MD5
c8c37aa823da020c7bc6c86752e2d3f5

SHA1
9c8dcc78b838ba7cf33160b48dfd7a061ff1318e

SHA256
52e24c3734c8656dff8603d706cf711bd63fd120d19633e7c0c4568f54e249c9

SHA512
b2129ebd8205e6bd4be4a34e8f09a4e0c0f2882cdde7afe631206d76ea50799fae8be61cbb4ebf8af3f5b883d852ec5fbfe868ab81007d46deadeded81316a63

Download Submit
\Users\Admin\AppData\Local\option.exe

Filesize
232KB

MD5
81834d4397b63bd30f869289df27e810

SHA1
0a969151a4b1f227be7c7b4643f44eff32d3e5af

SHA256
343e9ecd7836063440cf7e3d7002af182047fbde667e6d2eaae9021975385452

SHA512
57e52f62b9f1922a2a5e435f461387cba50bd5a6fd93b750c98d3a69f806264416023c7fc5f31f118110fb8d729cdcf6c0516e7c3a496b5040876a1999e684a8

Download Submit
memory/1872-32-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2400-31-0x0000000001D90000-0x0000000001DAC000-memory.dmp

Filesize
112KB

Download
memory/2400-51-0x0000000001D90000-0x0000000001DAC000-memory.dmp

Filesize
112KB

Download
memory/2992-28-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/2992-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-53-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/2992-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads