7dacd5a2345cffe2482bb86bab684f86ecefe5eef983b99f3873969d9f267b1e

General

Target

e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe
Size

194KB
MD5

e3fa551432bb0ac6fdcbb992e3332cd3
SHA1

6d499c34b6e95b48f76998d563c37461c0f0eae9
SHA256

7dacd5a2345cffe2482bb86bab684f86ecefe5eef983b99f3873969d9f267b1e
SHA512

618b8307b3131ef853cc414af3602346c06780c8d1181943bf9a6ef83edac8c78ca7b7db70a4c71cf24bbbad0bac329ed21d91a1e48b65236b8b4ef4f805ed33
SSDEEP

6144:+Tca25qNd/cWP+lCQPTuf9e6HVAN6hwSyqc:+T325sGlTufoVRe

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2196 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

KB00416368.exe

pid process

2192 KB00416368.exe
Loads dropped DLL 2 IoCs

Processes:

e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe

pid process

2112 e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe
2112 e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe

pid	process
2196	cmd.exe

pid	process
2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe
2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB00416368.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB00416368.exe\""	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

KB00416368.exe

pid	process
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe
2192	KB00416368.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

KB00416368.exe

description pid process

Token: SeDebugPrivilege 2192 KB00416368.exe

description	pid	process
Token: SeDebugPrivilege	2192	KB00416368.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exeKB00416368.exe

description	pid	process	target process
PID 2112 wrote to memory of 2192	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	KB00416368.exe
PID 2112 wrote to memory of 2192	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	KB00416368.exe
PID 2112 wrote to memory of 2192	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	KB00416368.exe
PID 2112 wrote to memory of 2192	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	KB00416368.exe
PID 2112 wrote to memory of 2196	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2196	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2196	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	cmd.exe
PID 2112 wrote to memory of 2196	2112	e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe	cmd.exe
PID 2192 wrote to memory of 1116	2192	KB00416368.exe	taskhost.exe
PID 2192 wrote to memory of 1116	2192	KB00416368.exe	taskhost.exe
PID 2192 wrote to memory of 1116	2192	KB00416368.exe	taskhost.exe
PID 2192 wrote to memory of 1116	2192	KB00416368.exe	taskhost.exe
PID 2192 wrote to memory of 1116	2192	KB00416368.exe	taskhost.exe
PID 2192 wrote to memory of 1172	2192	KB00416368.exe	Dwm.exe
PID 2192 wrote to memory of 1172	2192	KB00416368.exe	Dwm.exe
PID 2192 wrote to memory of 1172	2192	KB00416368.exe	Dwm.exe
PID 2192 wrote to memory of 1172	2192	KB00416368.exe	Dwm.exe
PID 2192 wrote to memory of 1172	2192	KB00416368.exe	Dwm.exe
PID 2192 wrote to memory of 1204	2192	KB00416368.exe	Explorer.EXE
PID 2192 wrote to memory of 1204	2192	KB00416368.exe	Explorer.EXE
PID 2192 wrote to memory of 1204	2192	KB00416368.exe	Explorer.EXE
PID 2192 wrote to memory of 1204	2192	KB00416368.exe	Explorer.EXE
PID 2192 wrote to memory of 1204	2192	KB00416368.exe	Explorer.EXE
PID 2192 wrote to memory of 344	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 344	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 344	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 344	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 344	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 2884	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 2884	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 2884	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 2884	2192	KB00416368.exe	DllHost.exe
PID 2192 wrote to memory of 2884	2192	KB00416368.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3fa551432bb0ac6fdcbb992e3332cd3_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Roaming\KB00416368.exe
"C:\Users\Admin\AppData\Roaming\KB00416368.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POSFAA.tmp.BAT"
3⤵
- Deletes itself
PID:2196

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\POSFAA.tmp.BAT
Filesize
285B

MD5
743d6f298d9715a14064c3b3ba87a32e

SHA1
42093f1f3137260ee720ab687acd9fbcaa9a0f8e

SHA256
f00d1c4078e99f40e2a07e5ed208b5aa8b72c5bc2f610c339c1a81f2ac88b521

SHA512
d83ea47b0e9a2c78da53169258cbd42e94c02e206ca744a9ad04397599986d71579085aff4c53c39d86d20ac2df0d33a13475f03845914cec5d175a7cff796d0

Download Submit
\Users\Admin\AppData\Roaming\KB00416368.exe
Filesize
194KB

MD5
e3fa551432bb0ac6fdcbb992e3332cd3

SHA1
6d499c34b6e95b48f76998d563c37461c0f0eae9

SHA256
7dacd5a2345cffe2482bb86bab684f86ecefe5eef983b99f3873969d9f267b1e

SHA512
618b8307b3131ef853cc414af3602346c06780c8d1181943bf9a6ef83edac8c78ca7b7db70a4c71cf24bbbad0bac329ed21d91a1e48b65236b8b4ef4f805ed33

Download Submit
memory/344-69-0x00000000026E0000-0x0000000002701000-memory.dmp

Filesize
132KB

Download
memory/344-71-0x00000000026E0000-0x0000000002701000-memory.dmp

Filesize
132KB

Download
memory/1116-30-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/1116-28-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/1172-43-0x00000000020D0000-0x00000000020F1000-memory.dmp

Filesize
132KB

Download
memory/1172-45-0x00000000020D0000-0x00000000020F1000-memory.dmp

Filesize
132KB

Download
memory/1204-56-0x0000000003CB0000-0x0000000003CD1000-memory.dmp

Filesize
132KB

Download
memory/1204-58-0x0000000003CB0000-0x0000000003CD1000-memory.dmp

Filesize
132KB

Download
memory/2112-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-84-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2192-86-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2192-88-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2192-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-114-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-100-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download
memory/2884-102-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads