2a03df419d6c6ae75dd211f5647dd986616133ef81e1dac7f2b5c2447702c467

General

Target

JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe
Size

10.6MB
MD5

f9fbbd4c6a8b4df3d5d08cba082a699a
SHA1

723abb7421800d2a1297a29b3792414ea16573bc
SHA256

2a03df419d6c6ae75dd211f5647dd986616133ef81e1dac7f2b5c2447702c467
SHA512

06e426758ef3d32fa961d5f9e028377e7e8878d59c4e7936103dc0279d189033bed8e2bd9cf1e10203e698d96f2a3ac5bebdfe72d878c410c32faa70244df9b6
SSDEEP

196608:enAZFZNUmR+FWM9pwQpHKb2x257MgnFEz1sZsqw/UaM2hHEH11wN0v0p:eAZtFg0MfFxKI25IgcusqNPNcNk0p

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
1716	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2708	svchost.exe
740	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1676	taskeng.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\svchost32\svchost.exe	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe
File opened for modification	C:\Windows\system32\svchost32\svchost.exe	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe
2596	powershell.exe
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2708	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2532	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe	32
PID 1548 wrote to memory of 2532	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe	32
PID 1548 wrote to memory of 2532	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe	32
PID 1548 wrote to memory of 2552	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe	34
PID 1548 wrote to memory of 2552	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe	34
PID 1548 wrote to memory of 2552	1548	JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe	34
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2532 wrote to memory of 2596	2532	cmd.exe	35
PID 2532 wrote to memory of 1716	2532	cmd.exe	37
PID 2532 wrote to memory of 1716	2532	cmd.exe	37
PID 2532 wrote to memory of 1716	2532	cmd.exe	37
PID 1676 wrote to memory of 2708	1676	taskeng.exe	39
PID 1676 wrote to memory of 2708	1676	taskeng.exe	39
PID 1676 wrote to memory of 2708	1676	taskeng.exe	39
PID 1676 wrote to memory of 740	1676	taskeng.exe	41
PID 1676 wrote to memory of 740	1676	taskeng.exe	41
PID 1676 wrote to memory of 740	1676	taskeng.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f9fbbd4c6a8b4df3d5d08cba082a699a.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\cmd.exe
  "cmd" #cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /f /sc minute /rl highest /mo 1 /tn "Entrenched" /tr "C:\Windows\system32\svchost32\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2552

C:\Windows\system32\taskeng.exe
taskeng.exe {929B0FEB-874D-4F64-A049-8F6B831979B1} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\svchost32\svchost.exe
  C:\Windows\system32\svchost32\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\system32\svchost32\svchost.exe
  C:\Windows\system32\svchost32\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
031c83ce6442013308a57e4e23bcada6

SHA1
d3ecf14516ba7bb6f5c63f894c45d131e4d9ae77

SHA256
83fb7435ce7335a3009acd5078a5e5dba12221bec47ff8761a7bde5addb88730

SHA512
749361b67a6e66e6e5399e2d38cfbb0dec5b83da32d755830d071ed6f8d140249c7e97b17931cabac7772d1af240b8523f39d704295b1c748dce31ccd7ecef00

Download Submit
C:\Windows\System32\svchost32\svchost.exe

Filesize
10.6MB

MD5
f9fbbd4c6a8b4df3d5d08cba082a699a

SHA1
723abb7421800d2a1297a29b3792414ea16573bc

SHA256
2a03df419d6c6ae75dd211f5647dd986616133ef81e1dac7f2b5c2447702c467

SHA512
06e426758ef3d32fa961d5f9e028377e7e8878d59c4e7936103dc0279d189033bed8e2bd9cf1e10203e698d96f2a3ac5bebdfe72d878c410c32faa70244df9b6

Download Submit
memory/740-38-0x0000000001310000-0x00000000016D2000-memory.dmp

Filesize
3.8MB

Download
memory/1548-11-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-2-0x000000001C440000-0x000000001C772000-memory.dmp

Filesize
3.2MB

Download
memory/1548-5-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/1548-6-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-7-0x00000000210F0000-0x0000000021414000-memory.dmp

Filesize
3.1MB

Download
memory/1548-8-0x0000000021420000-0x0000000021682000-memory.dmp

Filesize
2.4MB

Download
memory/1548-9-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/1548-10-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-1-0x00000000002E0000-0x00000000006A2000-memory.dmp

Filesize
3.8MB

Download
memory/1548-31-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-3-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1548-4-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1716-29-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1716-30-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2596-23-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2596-21-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2596-20-0x0000000002360000-0x00000000023E0000-memory.dmp

Filesize
512KB

Download
memory/2708-36-0x0000000000E60000-0x0000000001222000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads