033884253a7a0d50221370381907ecaf9e2170da522a214b270ca5409d8f55e8

General

Target

e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Size

612KB
MD5

e9530aac236ab40d5367665b55ac3bf9
SHA1

ccd887876fcee56286d31701ecb7f247c4be561c
SHA256

033884253a7a0d50221370381907ecaf9e2170da522a214b270ca5409d8f55e8
SHA512

b83f1a2bc0f69c86a070b15ceb534cd8b7eaf9dfdf0e427607279458b40697b2ff651c567d5f7787649f04de8352fc199b567fa3956b4d74c3253fc0e75a9a8e
SSDEEP

12288:fiWaUgkDhOPo0VdfG1mIn0sSelRnlUZrHQ:fiWDgkAJH6m0hl9lUtw

Score

7^/10

persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wauclt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wauclt.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	wauclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Generic Host = "wauclt.exe"	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wauclt.exe	wauclt.exe
File created	C:\Windows\SysWOW64\wauclt.exe	wauclt.exe
File created	C:\Windows\SysWOW64\wauclt.exe	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wauclt.exe	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\AVIFile	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\AVIFile\ = "7"	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ = "C:\\Windows\\SysWOW64\\avifil32.dll"	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\llyV = "pXMblZ~^aTCqd{XBjvYLxD"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Microsoft AVI Files"	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\coAVgDa = "FdhtfB{jlkh^I^llDPf^jB"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hRzx = "qFoIKahbHulentG_bwNVKr\x7fnAv{STJP"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uaviwrsiqfnq = "@bWX^TOL\\IHsjV_L"	wauclt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rivybzBOg = "iK^MFU_FMlfgXi@iTMWmH[bKBQeUR_ii"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\hRzx = "qFoIKahbHulentG_bGNVKr\x7fnAF{STJP"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\WEwiJsdaEzvbE = "AULIBvCneUgHMNA_jd\\gEN\|S"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uaviwrsiqfnq = "@bWXYTOL\\IH\|pL@`"	wauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\ThreadingModel = "Both"	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:C980DA7D	wauclt.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	wauclt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1888	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1888	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
Token: 33	4272	wauclt.exe
Token: SeIncBasePriorityPrivilege	4272	wauclt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4272	1888	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe	93
PID 1888 wrote to memory of 4272	1888	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe	93
PID 1888 wrote to memory of 4272	1888	e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9530aac236ab40d5367665b55ac3bf9_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\wauclt.exe
  "C:\Windows/system32\wauclt.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
109B

MD5
a7ad3226b21f36879769b7c69d5d7913

SHA1
9ffe7c4ee73c760e0f48b1ce652c4eb789f3efb1

SHA256
ed28f01c882041a34740e4d1ca96086212b418a83211317e3f399295d0488e47

SHA512
bf92a954b9d84e931ea43f6059eeab80e0e7fcf8a867ffba1e0016c72d7b215a0cb8d0b23ec909ab25cd9993a98013a0b5dba9d9d2c4f9e6ed54f9b6acb24538

Download Submit
C:\Windows\SysWOW64\wauclt.exe

Filesize
612KB

MD5
e9530aac236ab40d5367665b55ac3bf9

SHA1
ccd887876fcee56286d31701ecb7f247c4be561c

SHA256
033884253a7a0d50221370381907ecaf9e2170da522a214b270ca5409d8f55e8

SHA512
b83f1a2bc0f69c86a070b15ceb534cd8b7eaf9dfdf0e427607279458b40697b2ff651c567d5f7787649f04de8352fc199b567fa3956b4d74c3253fc0e75a9a8e

Download Submit
memory/1888-2-0x00000000020A0000-0x0000000002129000-memory.dmp

Filesize
548KB

Download
memory/1888-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1888-8-0x00000000020A0000-0x0000000002129000-memory.dmp

Filesize
548KB

Download
memory/1888-11-0x00000000020A0000-0x0000000002129000-memory.dmp

Filesize
548KB

Download
memory/1888-12-0x00000000020A0000-0x0000000002129000-memory.dmp

Filesize
548KB

Download
memory/1888-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1888-28-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1888-26-0x00000000020A0000-0x0000000002129000-memory.dmp

Filesize
548KB

Download
memory/4272-30-0x0000000000620000-0x00000000006A9000-memory.dmp

Filesize
548KB

Download
memory/4272-35-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-24-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-29-0x0000000000620000-0x00000000006A9000-memory.dmp

Filesize
548KB

Download
memory/4272-17-0x0000000000620000-0x00000000006A9000-memory.dmp

Filesize
548KB

Download
memory/4272-31-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-32-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-33-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-34-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-25-0x0000000000620000-0x00000000006A9000-memory.dmp

Filesize
548KB

Download
memory/4272-36-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-37-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-38-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-39-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-40-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-41-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-42-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-43-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4272-44-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads