e603588520d43b42f47d9af8f74eaa70efba4fe006bd29f74ba9c28b0699128f

General

Target

bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Size

1.1MB
MD5

bb2016d496611fe8cae1421d73f1756a
SHA1

691fd0a996e5a8d7f725f65cc3d847f00f452140
SHA256

e603588520d43b42f47d9af8f74eaa70efba4fe006bd29f74ba9c28b0699128f
SHA512

e6e153865af8954ad91d8d30e70aaad5a2ac4eb9c1976427a2414dca5a6a30ac2f59bba5d56a1e109805b4a0b6e17024f016c6577d247bf131b95b0a1ce9290a
SSDEEP

12288:p9F7wFaFs+9bwsvIi4XqWtgir99ELM9dqugUbSbv8yNRTHHh+XLRSecvv+Kzj11Z:pn7w8X9bweZS9KCg0Gz9NloMHFzj/1

Score

10^/10

persistence vmprotect

Malware Config

Signatures

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2772	schtasks.exe	31

Executes dropped EXE 1 IoCs

pid	Process
1860	explorer.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2544-1-0x00000000013E0000-0x00000000015C4000-memory.dmp	vmprotect
behavioral1/files/0x000600000001903b-13.dat	vmprotect
behavioral1/memory/1860-25-0x0000000000F70000-0x0000000001154000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lpksetup-20240903-052457-0\\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\activeds\\lsass.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\dmvdsitf\\services.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118 = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\ProgramData\\Favorites\\explorer.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\wwaninst\\dllhost.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\Update\\services.exe\""	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\wwaninst\5940a34987c99120d96dace90a3f93f329dcad63	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\activeds\lsass.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\activeds\lsass.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\activeds\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\dmvdsitf\services.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\dmvdsitf\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Windows\System32\wwaninst\dllhost.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fc1b489f214e58494b8c0c4020ee1320d9af122d	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\services.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
2736	schtasks.exe
2704	schtasks.exe
2948	schtasks.exe
2700	schtasks.exe
2596	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
1860	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
Token: SeDebugPrivilege	1860	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1860	2544	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	39
PID 2544 wrote to memory of 1860	2544	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	39
PID 2544 wrote to memory of 1860	2544	bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\ProgramData\Favorites\explorer.exe
  "C:\ProgramData\Favorites\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\activeds\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\dmvdsitf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb2016d496611fe8cae1421d73f1756a_JaffaCakes118" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\wwaninst\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bb2016d496611fe8cae1421d73f1756a_JaffaCakes118" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\lpksetup-20240903-052457-0\bb2016d496611fe8cae1421d73f1756a_JaffaCakes118.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\wwaninst\dllhost.exe

Filesize
1.1MB

MD5
bb2016d496611fe8cae1421d73f1756a

SHA1
691fd0a996e5a8d7f725f65cc3d847f00f452140

SHA256
e603588520d43b42f47d9af8f74eaa70efba4fe006bd29f74ba9c28b0699128f

SHA512
e6e153865af8954ad91d8d30e70aaad5a2ac4eb9c1976427a2414dca5a6a30ac2f59bba5d56a1e109805b4a0b6e17024f016c6577d247bf131b95b0a1ce9290a

Download Submit
memory/1860-27-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/1860-32-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1860-31-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1860-30-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/1860-29-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/1860-28-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1860-25-0x0000000000F70000-0x0000000001154000-memory.dmp

Filesize
1.9MB

Download
memory/2544-3-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-26-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-4-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2544-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-1-0x00000000013E0000-0x00000000015C4000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads