4153ef4d808ef701a408ac91ff853336c21947b0581b0804de933b53cc74e990

General

Target

e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe
Size

199KB
MD5

e5c902dd91723242bdf7afdadc5888e7
SHA1

e27102cf367e6439be73349f27f8b23278f0b9a0
SHA256

4153ef4d808ef701a408ac91ff853336c21947b0581b0804de933b53cc74e990
SHA512

487f3646cad76e3f863d78b4d6f2cd7c382f2d9dc75eaadfcafb44739a43b09f6dee1b493476f4c76b32733cd3c4795709c5ab70ca2a4a9e422ad2bdd4ff5665
SSDEEP

6144:StMhbwpYm+Piiz5XTPAzdelUOoptq+ZbcnqWS9:RxwMiizxTPAzEUxbB

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2744 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE

pid	process
2744	cmd.exe

pid	process
1196	Explorer.EXE

Loads dropped DLL 8 IoCs

Processes:

e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exerundll32.execmd.exeattrib.exe

pid	process
1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe
1720	rundll32.exe
1720	rundll32.exe
1720	rundll32.exe
1720	rundll32.exe
860
2744	cmd.exe
1392	attrib.exe

Drops file in System32 directory 2 IoCs

Processes:

e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dcomtend.dll	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\dcomtend64.dll	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe

pid process

1688 e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exerundll32.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 1720	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	rundll32.exe
PID 1688 wrote to memory of 1720	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	rundll32.exe
PID 1688 wrote to memory of 1720	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	rundll32.exe
PID 1688 wrote to memory of 1720	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	rundll32.exe
PID 1720 wrote to memory of 1196	1720	rundll32.exe	Explorer.EXE
PID 1720 wrote to memory of 1196	1720	rundll32.exe	Explorer.EXE
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 1688 wrote to memory of 2744	1688	e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe	cmd.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe
PID 2744 wrote to memory of 1392	2744	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1392 attrib.exe

pid	process
1392	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1196

C:\Users\Admin\AppData\Local\Temp\e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\dcomtend64.dll",CreateProcessNotify
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259448554.bat" "C:\Users\Admin\AppData\Local\Temp\e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe""
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\e5c902dd91723242bdf7afdadc5888e7_JaffaCakes118.exe"
4⤵
- Loads dropped DLL
- Views/modifies file attributes
PID:1392

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259448554.bat
Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
\Windows\SysWOW64\dcomtend.dll
Filesize
67KB

MD5
102547efba4b5723e5d7a346a2dcb5d1

SHA1
bff8386a3eaf4246dce5d8fd25f10969b571ea00

SHA256
ec5651e4482bdaee33ab48e99305b0747e3e06bc35b01791942dc8a073672002

SHA512
c2709556fcf32523d7e6e974ae71a04d64f2a3e8ff2e4d18c42d2890952f22ded273f03c75494b400f233aaa5971f748a91a9124e385a40592cb6caf4345d04b

Download Submit
\Windows\System32\dcomtend64.dll
Filesize
73KB

MD5
22c30629296f80f9b117335120a5d97a

SHA1
9eeef90297a72ea36b2390191f664eeaf141b31e

SHA256
f4288adc0f9074d7e472e7dd527e3fa56125fe702dd6b426e6959e316690a541

SHA512
6729d020c82f52220840088d16b07b3e7a38e7a5e6a566bee2a1596ab8e6ba6adf2e1a915daa33a4ecde5c8632fcc6b8bd7c7ae94a9b62e066ee14d2f5155103

Download Submit
memory/1196-18-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1196-47-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1196-17-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1392-49-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1688-41-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/1688-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1688-7-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1688-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-42-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1688-2-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/1688-1-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/1720-16-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1720-15-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2744-50-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads