88cd987421b7810d571cd91ea722eb2731a83c2425a7bf8b0d47480ab7a70af9

General

Target

edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe
Size

146KB
MD5

edc623389ea7cfe31884a79821e21b69
SHA1

a45eb688b48feb67e942f1a5c0f3ddb897068b12
SHA256

88cd987421b7810d571cd91ea722eb2731a83c2425a7bf8b0d47480ab7a70af9
SHA512

ced0179d5ff54f3c12824872d85e3c4798471af9e1e24d38afed0f400cc1e044a9d8642ca27e0dab85094c932d95b529198aaf00bd75c8c68939f7d41c1a16ce
SSDEEP

3072:LTIOYS71IE6d4WfgJ+Og07Iw3S5GHVvANfuaZyIYlfxu/YWcShby:LkdS10dtfgrg0v33VoNfuaWfQYYby

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	Explorer.EXE

Loads dropped DLL 8 IoCs

pid	Process
2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2712	cmd.exe
2940	attrib.exe
852	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\newdkill.dll	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\newdkill64.dll	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2676	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2676	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2676	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2676	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2712	2176	edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe	29
PID 2676 wrote to memory of 1212	2676	rundll32.exe	21
PID 2676 wrote to memory of 1212	2676	rundll32.exe	21
PID 2712 wrote to memory of 2940	2712	cmd.exe	31
PID 2712 wrote to memory of 2940	2712	cmd.exe	31
PID 2712 wrote to memory of 2940	2712	cmd.exe	31
PID 2712 wrote to memory of 2940	2712	cmd.exe	31
PID 2712 wrote to memory of 2940	2712	cmd.exe	31
PID 2712 wrote to memory of 2940	2712	cmd.exe	31
PID 2712 wrote to memory of 2940	2712	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2940	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1212
- C:\Users\Admin\AppData\Local\Temp\edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\newdkill64.dll",CreateProcessNotify
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259431363.bat" "C:\Users\Admin\AppData\Local\Temp\edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\edc623389ea7cfe31884a79821e21b69_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Views/modifies file attributes
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259431363.bat

Filesize
69B

MD5
604802586163bdc9eda42f6a471e01ad

SHA1
fc255017a78e3ec103f73c8c8651effe08089c81

SHA256
02f35eec8f33e1ad57621253ee252ca073f6cc16bf9712d89859ffeb6bb49dd3

SHA512
66dc346d7bdcc80fc8ae6894ae10cab306aaf5cf1c1dd750a971d3df37d6f4ac607d188f583d08b526e3df13234cec9c7fa7f9bdc4c4ad187fc83a3506b94888

Download Submit
\Windows\SysWOW64\newdkill.dll

Filesize
44KB

MD5
742b5669339ed6ecf52a5328b3d3c874

SHA1
5fef004a394b6978dde2327edd7845fae1048a76

SHA256
36add7ac4ca632a0ad9289c296b4f3fae562c62535c6c3a2cf41ec55db4394db

SHA512
195421ea732a556b1038ed61f8805988e11c69ca8fe4e2d87c23658346c2fd103b95cadbf02fc3b19770929e6fff37cd0fcef624f224e5a5f917dbe656b21b92

Download Submit
\Windows\System32\newdkill64.dll

Filesize
49KB

MD5
f3e4546bbd4efcee98ce0b52849eaf93

SHA1
1ed5a64c7fb23e819d4d07be2cf3af8b4a21ec91

SHA256
2fc174a878b943567431dbd617c1b4ddfaf78000ca1091eaa7d711de6c59406e

SHA512
1e37f74891380f1b52e8b680aa74b8f3318648929010cb079c17bc3a2ed7f503ee47ebab8bd3311daa771dab282d35ba6a24dc730a3c9d46deb02810938fb284

Download Submit
memory/1212-42-0x0000000180000000-0x0000000180012000-memory.dmp

Filesize
72KB

Download
memory/1212-32-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2176-8-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2176-9-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2176-1-0x00000000006D0000-0x00000000006F0000-memory.dmp

Filesize
128KB

Download
memory/2176-28-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2176-29-0x00000000006D0000-0x00000000006F0000-memory.dmp

Filesize
128KB

Download
memory/2176-25-0x0000000001000000-0x0000000001027000-memory.dmp

Filesize
156KB

Download
memory/2176-3-0x0000000001000000-0x0000000001027000-memory.dmp

Filesize
156KB

Download
memory/2176-2-0x0000000001000000-0x0000000001027000-memory.dmp

Filesize
156KB

Download
memory/2676-16-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2676-30-0x0000000180000000-0x0000000180012000-memory.dmp

Filesize
72KB

Download
memory/2712-24-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2712-45-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2940-44-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing