bcb0a41963c0baddfbc72ade7382ae8f5ec039c1439c71cc8d96f30b8656f519

General

Target

f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Size

15KB
MD5

f3e75c94de3c8fbd9a057c63f7ce0062
SHA1

8bc106204f4792b6fc25af00d6eac1908dfaad1b
SHA256

bcb0a41963c0baddfbc72ade7382ae8f5ec039c1439c71cc8d96f30b8656f519
SHA512

7338d6050c05bb5cafac45ce9b5817caa2e0bbaad268c30c52e07bf749bd93be7ecbd5448283bcf98d2d079b4dc68d63f09f75d1424b4c4a0578c2eec39639d9
SSDEEP

384:ty/TOFJLcl399gCERlNT+mZXgRiUC9ywO5jYl1aXY+ne:ty/TQml8bRlNvQwUC9UjYl8e

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{00250025-0025-0025-0025-00250025BB15}"	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2460	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\slbiopfs2.tmp	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.tmp	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.nls	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll"	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00250025-0025-0025-0025-00250025BB15}\InProcServer32\ThreadingModel = "Apartment"	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2460	764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	28
PID 764 wrote to memory of 2460	764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	28
PID 764 wrote to memory of 2460	764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	28
PID 764 wrote to memory of 2460	764	f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3e75c94de3c8fbd9a057c63f7ce0062_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8A74.tmp.bat
  2⤵
  - Deletes itself
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A74.tmp.bat

Filesize
207B

MD5
f842398883950acf17cfd5f3c23e7969

SHA1
321fb6b59728198d69364e63465941e2c841b14c

SHA256
13ee45ba32418f13665d8c72597b69eae774ba021feda02d60e85b5717268cc5

SHA512
56b6116cf09d64884f5174281a0e0f28f45af18a2f70767485eb32e3181a6d7643910fdabd89ac471119f4b75d7b997755344f5cebdb38b1427215d09bf2f46e

Download Submit
C:\Windows\SysWOW64\slbiopfs2.nls

Filesize
428B

MD5
2fac5903c986ca533a9573420c1c77de

SHA1
928923bf5e601a51ff636878594852d3fd432080

SHA256
3f691192c74a1cc8af639ab8136fa097a21ffc8c7dbd00c555ebcb7ffac66f27

SHA512
54727f7dc12927955fff9c0b9dcf404d39889a21c7f48d5f55d348aa2876b2279539f330124f6299223edca358a7f90cda8f3dfb46a39f05cfff09f5a7234d58

Download Submit
\Windows\SysWOW64\slbiopfs2.dll

Filesize
829KB

MD5
c7c1ea6c0fca5745f9b18439b6f746b2

SHA1
dcba4466dc318c590106ccb553888f515a810e39

SHA256
00a93af51b75d503b71592dadfd8bda9d6494b341df231f6115e57b1157c4dc5

SHA512
62689e4e07b30f22925231faec14a97fc70d8093a0e9761650e7ff76ce7428f7c9e93759787793a95ea918c5ef6e86c1aa9d8f44aaa8ac9fc329db5c14f7f645

Download Submit
memory/764-16-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download
memory/764-25-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads