75b06eb2c4c11a80316b0b2d6df5e9ac223f45526ea49dc58a8f26f603608d3a

General

Target

f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe
Size

101KB
MD5

f7f42c3bc7579623ad895a6c77aa8566
SHA1

3f852ed83d6d5540426c36ecbbd89c62e8f526be
SHA256

75b06eb2c4c11a80316b0b2d6df5e9ac223f45526ea49dc58a8f26f603608d3a
SHA512

dadc9bba7760ffc52f8c077e15b4e36a24eee7f6865705a03a83bbcefcdd2a716da529b5e58cba1fc864e8911644bd4f3aa65bbf19d597c6afcb059f306c5fcd
SSDEEP

3072:eFkSQ/fec1XCC91MF3FUK5tin1/reXAyE:cQnec1XvMFVUKHy/JyE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	Set.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	rundll32.exe
2364	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SET5323.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\W95Inf32.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SET52F2.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SET52F2.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SET5313.tmp	rundll32.exe
File created	C:\Windows\SysWOW64\SET5313.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\W95Inf16.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\SET5323.tmp	rundll32.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File created	C:\Windows\SET52D1.tmp	rundll32.exe
File opened for modification	C:\Windows\INF\SET5324.tmp	rundll32.exe
File opened for modification	C:\Windows\INF\FAKE_E.INF	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\SET52D1.tmp	rundll32.exe
File opened for modification	C:\Windows\Fake.exe	rundll32.exe
File opened for modification	C:\Windows\SET52D2.tmp	rundll32.exe
File created	C:\Windows\SET52D2.tmp	rundll32.exe
File opened for modification	C:\Windows\Set.exe	rundll32.exe
File created	C:\Windows\INF\SET5324.tmp	rundll32.exe
File opened for modification	C:\Windows\setup.ini	rundll32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2364	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe
Token: SeRestorePrivilege	2408	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2364	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	28
PID 2364 wrote to memory of 2416	2364	rundll32.exe	29
PID 2364 wrote to memory of 2416	2364	rundll32.exe	29
PID 2364 wrote to memory of 2416	2364	rundll32.exe	29
PID 2364 wrote to memory of 2416	2364	rundll32.exe	29
PID 2364 wrote to memory of 2584	2364	rundll32.exe	30
PID 2364 wrote to memory of 2584	2364	rundll32.exe	30
PID 2364 wrote to memory of 2584	2364	rundll32.exe	30
PID 2364 wrote to memory of 2584	2364	rundll32.exe	30
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31
PID 2224 wrote to memory of 2408	2224	f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7f42c3bc7579623ad895a6c77aa8566_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack,LaunchINFSection C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\FAKE_E.INF,DefaultInstall2.ntx86
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\Set.exe
    C:\Windows\Set.exe C:\Windows\Set.exe
    3⤵
    - Executes dropped EXE
    PID:2416
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:2584
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack,LaunchINFSection C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\FAKE_E.INF,DefaultInstallX
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\AdvPack.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\FAKE_E.INF

Filesize
4KB

MD5
d2feb27abb2bcaeac5891cbde1f4060b

SHA1
526e685bf4769173edf1b87309e97e547354e9fd

SHA256
8f51dc990457df43c12c2cb066fb1b57a2d0ca743251927e5b8b2d73abb250ac

SHA512
66bb411aa655ccc7cd67d14fd8f6e8b1a11e635fd0784b28f4ab111494342d7c07034b14b90375d8b2689357e430503d5c2508d278a3beb78f56eedf47655bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\Fake.exe

Filesize
51KB

MD5
06d5b929f86e84bbc825c2bb7c6e6807

SHA1
4fee541e7dac494dbdd43b4ad7965b559e71f95c

SHA256
7eb6083c8a5cb523a7806815b8b7386b031b03d13bc8f0f3273bd5ec74f17b12

SHA512
189338e8c9b9f9f7d11b0caad534e9cf583fec638584e9c581c0d2f8619e15b9cc0c58c98e4836bb6550b2000664b4e79b153e94484faa9b4c9a88c43552760a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\Set.exe

Filesize
19KB

MD5
4dcbee363e7417f7ffd47d9cdb733491

SHA1
f98f7cceb3422ffd55c85a784c97072763b020c1

SHA256
7cbfb6fb43043780e7ad4db97c3345e2a1851921ec30015047143a16fe0d08cf

SHA512
5ebc4e4a33b10490093b004c16eaa44adb963952436539557d732817c53d550c81ee3ed15ee38102e9f0977b9a24e04465d0882a0c6182ded246ef090bf76e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\W95Inf16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\$INFTool.Tmp\W95Inf32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Windows\setup.ini

Filesize
300B

MD5
a1aceb4837afae76054d61b1fe38627f

SHA1
fd726872676852daf005155dcb87a16601b18a7b

SHA256
4019fbb961405fb9f8b98ec4fefc66c2323ba711c28a50aed3ccdab656b6ecaa

SHA512
9dbe4842ca6ac2b1a7a34203b2d77ba5dc2766c016753e782724a466933672e0a1494f26db1627bee0d27e59904afa5b80d75b624c8a1a05e9acdaef1b030e93

Download Submit
memory/2224-49-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing