f34374515acfb1aaeaad5955acbd0da661e219115045cdca4934ecf627762c58

General

Target

f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe
Size

689KB
MD5

f18116e4b8acc48c53e1762b67d8ee47
SHA1

adead593caf93218ccb2db65f10777c27e868bf3
SHA256

f34374515acfb1aaeaad5955acbd0da661e219115045cdca4934ecf627762c58
SHA512

f196145fd232f51a0b6f671bc57715eda40a6133528bb069c95b6df4c0ecca2a4ae3ae6ec2409a888bceb27cab5aa5ea363f10d1d7e6460eb2c0ead47a203b64
SSDEEP

12288:jtut5Piflv1Mgmxl2eKq2ONlnvxBB5jMF3Z4mxxbDqVTVOCz:wf62hXEO7n/jMQmXSVTzz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2672	4.exe
2420	4.exe

Loads dropped DLL 4 IoCs

pid	Process
2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe
2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe
2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe
2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system.exe	4.exe
File created	C:\Windows\system.exe	4.exe
File opened for modification	C:\Windows\system.exe	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	4.exe
Token: SeDebugPrivilege	2420	4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2672	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2672	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2672	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2672	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2420	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2420	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2420	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2420	2368	f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f18116e4b8acc48c53e1762b67d8ee47_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
787KB

MD5
a508b2dc8a3e5b6c3c589665d9d7f53b

SHA1
fc328a81795b5245e10d09aee0be767b9ff74d95

SHA256
8884cb7c2412e7669ea885938487730c2d85f79824f523085d2f879344753982

SHA512
7b16acd1ba162074dc4e315e7073f2ea78d88bb3ebb21583b3d5d285656c0738dcd6ccee545b7576cfb6c6265c8b02caf5d82d3392b5e5ba2dcc7ad13ee46a36

Download Submit
memory/2368-12-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2368-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2368-24-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2368-22-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2368-21-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2368-20-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2368-19-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2368-18-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2368-17-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2368-16-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2368-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2368-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2368-13-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2368-0-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2368-23-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2368-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2368-8-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2368-7-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2368-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2368-10-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2368-4-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2368-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2368-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2368-3-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2368-45-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2420-42-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2420-44-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2672-38-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2672-34-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads