af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3

General

Target

5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
Size

770KB
MD5

5f2aaa3458a8a94a91dd71586935b2b2
SHA1

a16221e31c960dafe501a3fca7e394d92c0e0682
SHA256

af351378c41c581f1f9b8fb2d80090e4aa1ec844c417eb0ebae479be4cbc6ce3
SHA512

fc3a35ba008523cb21e4006b34e5fcf7e8935471c4ccf40661737dad62f5de4acc0e83f8d7692517e93488b06290edb913a0e9f9a790c54dde06bdacb055e094
SSDEEP

12288:0krXV6E2/ZX7kGRE/E2HjwZCSBcbn68wGhQ4kkR7DaKAa9VSaQwBirzeF58Lm32:XF6E2BX4qByk4vwGhQ4w+BomWY2

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scrss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\scrss.exe \""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2348	option.exe
3376	scrss.exe

Loads dropped DLL 4 IoCs

pid	Process
3376	scrss.exe
3376	scrss.exe
2348	option.exe
2348	option.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2376	reg.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
3376	scrss.exe
3376	scrss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3376	scrss.exe
2348	option.exe
2348	option.exe
2348	option.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 2348	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	85
PID 5048 wrote to memory of 2348	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	85
PID 5048 wrote to memory of 2348	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	85
PID 5048 wrote to memory of 3376	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	86
PID 5048 wrote to memory of 3376	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	86
PID 5048 wrote to memory of 3376	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	86
PID 5048 wrote to memory of 1876	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	87
PID 5048 wrote to memory of 1876	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	87
PID 5048 wrote to memory of 1876	5048	5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe	87
PID 1876 wrote to memory of 4116	1876	cmd.exe	89
PID 1876 wrote to memory of 4116	1876	cmd.exe	89
PID 1876 wrote to memory of 4116	1876	cmd.exe	89
PID 4116 wrote to memory of 2376	4116	cmd.exe	90
PID 4116 wrote to memory of 2376	4116	cmd.exe	90
PID 4116 wrote to memory of 2376	4116	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f2aaa3458a8a94a91dd71586935b2b2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\option.exe
  "C:\Users\Admin\AppData\Local\option.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\Users\Admin\AppData\Local\scrss.exe
  "C:\Users\Admin\AppData\Local\scrss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c syscheck.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V scrss.exe /D "\"C:\Users\Admin\AppData\Local\scrss.exe \"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
168B

MD5
0d92b381efa1a49bd3cc2cf3ff28bd45

SHA1
23fac6be89436f94a4f8fca5057be514c787b9b6

SHA256
b5b5a4055d2b10d9e6af0580c28ee9099632cc36eaa946ce442f65a77ee92e84

SHA512
78b611a37cf21a0bb26204f0f3057b5d800be3c2ad8190af06725e82bdcc883473cb0087f1f7bc8c0199467d14282ea92d340421d8bf796f7e45451727f66391

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
92KB

MD5
8a5e40eb6518353e5758e5b237897c78

SHA1
dd452e565485f48c2131dadc40a32b0d3007cef6

SHA256
5f8ba5c1522847452d92b507770bfb454548d8a02232040c6be4323792400d4f

SHA512
c941b82c3bd6be61506ac9215ab8e26983a8654444703b5a0236739a3b50a498ed0c65054b68481c026123d88b0f0e9e36f92b0f0028b4cc034345ec17f3b268

Download Submit
C:\Users\Admin\AppData\Local\option.exe

Filesize
232KB

MD5
81834d4397b63bd30f869289df27e810

SHA1
0a969151a4b1f227be7c7b4643f44eff32d3e5af

SHA256
343e9ecd7836063440cf7e3d7002af182047fbde667e6d2eaae9021975385452

SHA512
57e52f62b9f1922a2a5e435f461387cba50bd5a6fd93b750c98d3a69f806264416023c7fc5f31f118110fb8d729cdcf6c0516e7c3a496b5040876a1999e684a8

Download Submit
C:\Users\Admin\AppData\Local\scrss.exe

Filesize
237KB

MD5
c8c37aa823da020c7bc6c86752e2d3f5

SHA1
9c8dcc78b838ba7cf33160b48dfd7a061ff1318e

SHA256
52e24c3734c8656dff8603d706cf711bd63fd120d19633e7c0c4568f54e249c9

SHA512
b2129ebd8205e6bd4be4a34e8f09a4e0c0f2882cdde7afe631206d76ea50799fae8be61cbb4ebf8af3f5b883d852ec5fbfe868ab81007d46deadeded81316a63

Download Submit
memory/2348-30-0x0000000002380000-0x000000000239C000-memory.dmp

Filesize
112KB

Download
memory/2348-49-0x0000000002380000-0x000000000239C000-memory.dmp

Filesize
112KB

Download
memory/3376-25-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/3376-50-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3376-51-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/3376-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3376-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3376-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3376-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-27-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads