8d6524aff6a6eba7663282eff6e7aa6313e041b49033852faecb71492ff04cc6

General

Target

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Size

76KB
MD5

e02ce999fdf66035d7cdbdc19585eff0
SHA1

886ba82210574979bbd070a3b5279589b9fd8772
SHA256

8d6524aff6a6eba7663282eff6e7aa6313e041b49033852faecb71492ff04cc6
SHA512

8084dcde12c3b150dae09abc4a30ced5212e0cc647a7d7276463253dce88555ee11171ee2bf6e73558447f52758c15d487fd47749741c4912238747ff7bd0ed1
SSDEEP

1536:PaRW+D2q3FQf2kvdMiCei1JRN3AfsB73lL0841nn0c+po6BZXKuaiM:PSW+6f2kvjCeiLR1AEB73lL08S0faMk3

Score

8^/10

defense_evasion discovery lateral_movement persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msvhny.com"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\COM Service = "C:\\Windows\\msagent\\msvhny.com"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\StubPath = "C:\\Windows\\system32\\mscabo.com"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2280 svchost.exe

pid	process
2280	svchost.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Remote Services: SMB/Windows Admin Shares 1 TTPs 2 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

Processes:

svchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	svchost.exe

Drops file in System32 directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exee02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mscabo.com	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mscabo.com	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File created	C:\Windows\SysWOW64\mslg.blf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\mscabo.com	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe

Drops file in Windows directory 8 IoCs

Processes:

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exe

description	ioc	process
File created	C:\Windows\msagent\msvhny.com	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe
File created	C:\Windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\msagent\msvhny.com	svchost.exe
File created	C:\Windows\msagent\msvhny.com	svchost.exe
File opened for modification	C:\Windows\svchost.exe	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
File created	C:\Windows\svchost.exe	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
File opened for modification	C:\Windows\msagent\msvhny.com	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exe

pid process

3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
3372 e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
2280 svchost.exe
2280 svchost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

2280 svchost.exe

pid	process
3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
2280	svchost.exe
2280	svchost.exe

pid	process
2280	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeSecurityPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeBackupPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeRestorePrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeShutdownPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeDebugPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeUndockPrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: 33	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: 34	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: 35	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: 36	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
Token: SeAuditPrivilege	4060	svchost.exe
Token: SeAuditPrivilege	4060	svchost.exe
Token: SeIncreaseQuotaPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeTakeOwnershipPrivilege	2280	svchost.exe
Token: SeLoadDriverPrivilege	2280	svchost.exe
Token: SeSystemProfilePrivilege	2280	svchost.exe
Token: SeSystemtimePrivilege	2280	svchost.exe
Token: SeProfSingleProcessPrivilege	2280	svchost.exe
Token: SeIncBasePriorityPrivilege	2280	svchost.exe
Token: SeCreatePagefilePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeShutdownPrivilege	2280	svchost.exe
Token: SeDebugPrivilege	2280	svchost.exe
Token: SeSystemEnvironmentPrivilege	2280	svchost.exe
Token: SeRemoteShutdownPrivilege	2280	svchost.exe
Token: SeUndockPrivilege	2280	svchost.exe
Token: SeManageVolumePrivilege	2280	svchost.exe
Token: 33	2280	svchost.exe
Token: 34	2280	svchost.exe
Token: 35	2280	svchost.exe
Token: 36	2280	svchost.exe
Token: 33	2280	svchost.exe
Token: SeIncBasePriorityPrivilege	2280	svchost.exe
Token: 33	2280	svchost.exe
Token: SeIncBasePriorityPrivilege	2280	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4352	svchost.exe
Token: SeIncreaseQuotaPrivilege	4352	svchost.exe
Token: SeSecurityPrivilege	4352	svchost.exe
Token: SeTakeOwnershipPrivilege	4352	svchost.exe
Token: SeLoadDriverPrivilege	4352	svchost.exe
Token: SeSystemtimePrivilege	4352	svchost.exe
Token: SeBackupPrivilege	4352	svchost.exe
Token: SeRestorePrivilege	4352	svchost.exe
Token: SeShutdownPrivilege	4352	svchost.exe
Token: SeSystemEnvironmentPrivilege	4352	svchost.exe
Token: SeUndockPrivilege	4352	svchost.exe
Token: SeManageVolumePrivilege	4352	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4352	svchost.exe
Token: SeIncreaseQuotaPrivilege	4352	svchost.exe
Token: SeSecurityPrivilege	4352	svchost.exe
Token: SeTakeOwnershipPrivilege	4352	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe

description	pid	process	target process
PID 3372 wrote to memory of 2280	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe	svchost.exe
PID 3372 wrote to memory of 2280	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe	svchost.exe
PID 3372 wrote to memory of 2280	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe	svchost.exe
PID 3372 wrote to memory of 4456	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe	cmd.exe
PID 3372 wrote to memory of 4456	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe	cmd.exe
PID 3372 wrote to memory of 4456	3372	e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\e02ce999fdf66035d7cdbdc19585eff0_JaffaCakes118.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:3168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Modifies data under HKEY_USERS
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Remote Services: SMB/Windows Admin Shares
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

2

T1112

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Remote Services

1

T1021

SMB/Windows Admin Shares

1

T1021.002

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd
Filesize
3.0MB

MD5
cbda55dcc4be08631604f07ea6ddda42

SHA1
36512056bbbd2530c14f5ee3b59d404548aa942a

SHA256
ca4a8c7011fb0f91b7acf2b3362a960f75e5436dc55fe76a5d4c354be2dc21b2

SHA512
22ed1726e2902f6d107b30167d410c7d36ee47a8474e2fd6f685c4f0c2c69d875ac897c0a67fbcaa5c173eb00d5c198c8e127b8d2b5ebbba2e0564ecb5954356

Download Submit
C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd-wal
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_5E65FCDD03110BA05402E762877D780E
Filesize
510B

MD5
a47c0dec71cd1aa0b21f34428ae4b4e0

SHA1
209327a7b558d79fb69014185c41ec62682e63a5

SHA256
c8699ee007a2bd04aa678897c4310d5fa5278e10332cd266b41a414988868cd1

SHA512
a77bdd57e40a22527e51095de2d702fe76eba2b550556b39746765df98ed21ce6e99acb2027c7e073491c8400df6e8584affbf1b5a88b875c213e7317a813824

Download Submit
C:\Windows\SysWOW64\mscabo.com
Filesize
76KB

MD5
e02ce999fdf66035d7cdbdc19585eff0

SHA1
886ba82210574979bbd070a3b5279589b9fd8772

SHA256
8d6524aff6a6eba7663282eff6e7aa6313e041b49033852faecb71492ff04cc6

SHA512
8084dcde12c3b150dae09abc4a30ced5212e0cc647a7d7276463253dce88555ee11171ee2bf6e73558447f52758c15d487fd47749741c4912238747ff7bd0ed1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
338B

MD5
d7ef2fa7110279cf5e7fa0f07d48252c

SHA1
d3291ed5d0ad5a19d98dd997ab6c39d79764b677

SHA256
73c7ce8000d57bf3a28cfbd2202c5fdbe4cb52d14c51c582cb717e0c01eefe62

SHA512
5a757303439ba6feb677689b7919a0e17dcdb482f48a1635f1d0f8d8fb1699e3246f8a5809716a6fa792519eb2b32878b769d7c40aaea582a83ab2e33860093d

Download Submit
memory/2280-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-72-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2280-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3372-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4312-2-0x0000016C74370000-0x0000016C74380000-memory.dmp

Filesize
64KB

Download
memory/4312-8-0x0000016C743D0000-0x0000016C743E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads