1843a48e711c316bcea8d1147aec6bb4cd6ba82f5f9ea1fbd1cb562ecb542791

General

Target

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
Size

175KB
MD5

f31e625570cdb72d7ff6655c0c1f07a9
SHA1

7315d6541a1a6af9fb778d1742bdd690a76c9726
SHA256

1843a48e711c316bcea8d1147aec6bb4cd6ba82f5f9ea1fbd1cb562ecb542791
SHA512

185aa7ac76715fa681d3b5d3b4d1bc3e3daca1a156fdf91579b34641d56a6027c44acb1929983a6b0dde34c2cc67095f123449ef129f981e27a5ac75673467df
SSDEEP

3072:MdGXmmfdNLMF88L4WJk90HxozECnZEqnjGVAdG9iXluLLOyK5kkQnlYysVxx+3wK:MNmf7v8LXZHyg0HnjvG4XlIL85kktysi

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exerundll32.execmd.exe

pid process

5052 f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
1968
2768 rundll32.exe
1888 cmd.exe

pid	process
5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
1968
2768	rundll32.exe
1888	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ktmuuota.dll	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\ktmuuota64.dll	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2528 1888 WerFault.exe cmd.exe
1624 1888 WerFault.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

pid process

5052 f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
5052 f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

pid	pid_target	process	target process
2528	1888	WerFault.exe	cmd.exe
1624	1888	WerFault.exe	cmd.exe

pid	process
5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe

description	pid	process	target process
PID 5052 wrote to memory of 2768	5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	rundll32.exe
PID 5052 wrote to memory of 2768	5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	rundll32.exe
PID 5052 wrote to memory of 1888	5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 5052 wrote to memory of 1888	5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe
PID 5052 wrote to memory of 1888	5052	f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2332 attrib.exe

pid	process
2332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\ktmuuota64.dll",CreateProcessNotify
2⤵
- Loads dropped DLL
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240640062.bat" "C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe""
2⤵
- Loads dropped DLL
PID:1888

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\f31e625570cdb72d7ff6655c0c1f07a9_JaffaCakes118.exe"
3⤵
- Views/modifies file attributes
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 488
3⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 496
3⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5052 -ip 5052
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1888 -ip 1888
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1888 -ip 1888
1⤵
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240640062.bat
Filesize
75B

MD5
bd3925ffa7a3132fb98cb92beacd0eab

SHA1
e28f5b585b0e44049ca8f26f506e0932b03528ea

SHA256
71c63acacab0ea6b78d2f0a66d4c5ba8ade5244848ba1dd55e2c06d7f7f8a790

SHA512
5465fea6eda8b045005836ba5707210bdb5e8060e4727aaf44620d8e1fd08173042cb6fb8deeff53c32533387d0466b8f02b8173ff35bbdc232879bd2a706677

Download Submit
C:\Windows\SysWOW64\ktmuuota.dll
Filesize
56KB

MD5
4870be9c2cde34feea9145ed299778d1

SHA1
73afeed2d50552076c351c2c0ef8521bf7d98e99

SHA256
cde00252370ba704c241efc15a475331657b0030f649ddca7be00ee743f55f51

SHA512
76f487e0067a233b3d671fcce6c05b7946d74c918a42289684bdb3d469745003b63c84d58ecf32db1b25593cf90ed4ff867bf3ff81b47b9274871e8f5e547c68

Download Submit
C:\Windows\System32\ktmuuota64.dll
Filesize
62KB

MD5
66f3dc1c18ad7a4e41eaecff0b6219d7

SHA1
8b7eff8c8c138c4621ef5edfbb612bdd0a796ad5

SHA256
0577d73ea2359816944c7a22f0974459df9c0119b048941f6416c8a356b0f938

SHA512
0ff1ad87952094a038de4fdd52472f40635d5e881ab2e15bca389d61df0ac7f6b503dc6df94e88539df5bfb34e0003999fc6b1885d03912f02e85252de2167f9

Download Submit
memory/1888-22-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2768-14-0x00000292C4CC0000-0x00000292C4CC1000-memory.dmp

Filesize
4KB

Download
memory/5052-0-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/5052-1-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/5052-6-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/5052-7-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/5052-9-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/5052-10-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/5052-17-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads