1843a48e711c316bcea8d1147aec6bb4cd6ba82f5f9ea1fbd1cb562ecb542791

General

Target

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
Size

175KB
MD5

f31e625570cdb72d7ff6655c0c1f07a9
SHA1

7315d6541a1a6af9fb778d1742bdd690a76c9726
SHA256

1843a48e711c316bcea8d1147aec6bb4cd6ba82f5f9ea1fbd1cb562ecb542791
SHA512

185aa7ac76715fa681d3b5d3b4d1bc3e3daca1a156fdf91579b34641d56a6027c44acb1929983a6b0dde34c2cc67095f123449ef129f981e27a5ac75673467df
SSDEEP

3072:MdGXmmfdNLMF88L4WJk90HxozECnZEqnjGVAdG9iXluLLOyK5kkQnlYysVxx+3wK:MNmf7v8LXZHyg0HnjvG4XlIL85kktysi

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2652 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE

pid	process
2652	cmd.exe

pid	process
1276	Explorer.EXE

Loads dropped DLL 8 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exerundll32.execmd.exeattrib.exe

pid	process
2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2652	cmd.exe
2668	attrib.exe
828

Drops file in System32 directory 2 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DWWIrint.dll	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\DWWIrint64.dll	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

pid process

2404 f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exerundll32.execmd.exe

description	pid	process	target process
PID 2404 wrote to memory of 2976	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	rundll32.exe
PID 2404 wrote to memory of 2976	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	rundll32.exe
PID 2404 wrote to memory of 2976	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	rundll32.exe
PID 2404 wrote to memory of 2976	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	rundll32.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2404 wrote to memory of 2652	2404	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 2976 wrote to memory of 1276	2976	rundll32.exe	Explorer.EXE
PID 2976 wrote to memory of 1276	2976	rundll32.exe	Explorer.EXE
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe
PID 2652 wrote to memory of 2668	2652	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2668 attrib.exe

pid	process
2668	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\DWWIrint64.dll",CreateProcessNotify
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259419070.bat" "C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe""
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe"
4⤵
- Loads dropped DLL
- Views/modifies file attributes
PID:2668

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259419070.bat
Filesize
75B

MD5
ad0583102be4c50e7e052db68e2e84bd

SHA1
fe8e20fcd3f43d6dbb6710a7eb90785d7acdf7e2

SHA256
d4623407572a6b78464d45ff9a3d28bae06b72a246d047a5a2cf466d8b3f3ce0

SHA512
c3c843d9a8dd9a7a70c6307add9df2e562ed41a91d4a59416a63bbe9e24245a3846f79129a623231274878ad7c94f641f7ec5695132823462ad49605e465f498

Download Submit
\Windows\SysWOW64\DWWIrint.dll
Filesize
56KB

MD5
4870be9c2cde34feea9145ed299778d1

SHA1
73afeed2d50552076c351c2c0ef8521bf7d98e99

SHA256
cde00252370ba704c241efc15a475331657b0030f649ddca7be00ee743f55f51

SHA512
76f487e0067a233b3d671fcce6c05b7946d74c918a42289684bdb3d469745003b63c84d58ecf32db1b25593cf90ed4ff867bf3ff81b47b9274871e8f5e547c68

Download Submit
\Windows\System32\DWWIrint64.dll
Filesize
62KB

MD5
66f3dc1c18ad7a4e41eaecff0b6219d7

SHA1
8b7eff8c8c138c4621ef5edfbb612bdd0a796ad5

SHA256
0577d73ea2359816944c7a22f0974459df9c0119b048941f6416c8a356b0f938

SHA512
0ff1ad87952094a038de4fdd52472f40635d5e881ab2e15bca389d61df0ac7f6b503dc6df94e88539df5bfb34e0003999fc6b1885d03912f02e85252de2167f9

Download Submit
memory/1276-49-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/1276-28-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/2404-7-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2404-8-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2404-0-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2404-6-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/2404-39-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/2404-40-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2404-1-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/2652-24-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2652-48-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2668-47-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2976-15-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2976-23-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads