9b41869864670c3a60f9774169f3af245838536d741d275e510359cafcaf81dc

General

Target

f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
Size

620KB
MD5

f83b3c4601ca3fa937c761a492816fcf
SHA1

a826898a423b67e26fc2b7587689dbd69b118db8
SHA256

9b41869864670c3a60f9774169f3af245838536d741d275e510359cafcaf81dc
SHA512

1b7bf34c1313eb754bb2e5ef85039e8092b421f4ca9110b94a199288ca0ac070f4fdd20f0db9f96d6e5c3eb733976386514e993effae3ee46df31210d89f9049
SSDEEP

12288:zj+BuagU0y60p1u8lES1PBD7aJOth+no0Ukhf/kGIQy:/+BIU0GO8lEEPN75tSBlf/TIQy

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\mspci.sys	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B\Blob = 030000000100000014000000d8c7019bd363cea27d25594a5517bd6a5225e04b2000000001000000d6030000308203d2308202baa003020102020100300d06092a864886f70d0101050500308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e301e170d3038303732353033313432315a170d3238303732303033313432315a308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d29becc60b5391e3db6292a31b911ac3f3dbd1895bf1dde238ef7f89d5d366f8c099b973878a9a2548e9eefb25b417328629943feec5fcb3cb4568d6ce8966fdba88576e82ec41f5beb8f9e5db2e5fda9fae0b829116c6f052d2bffcab79d5ca7979ed758fbed8d68689f3d84bfdcc3d964b024391a2e544cbd8ef8772d44a72034c4e36290b9ea46b036448c52e4f4b2dd0fc722eae20a4957af2b2b5bc865d139bb6bd98622c6cb51fc453db26afd6fb1caf3c03483e17f04e2f471b7ccba2c1e5bff9bfe9c6986ba2d5501c35c69342bfbd75e8b0a1a6e4df5d87b55814a51fcfc88ec2737f6ce128270b4f50822255473fea1871d69e30edd9f8c37d82a10203010001a3553053300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604148077abe4ae125c8c9ea2e1b390a509944e3b5105301106096086480186f8420101040403020204300d06092a864886f70d010105050003820101003c95b3597084897b3dcdbeac0aa1b682d2329fc1b0cf8c613f18b1b436b65d97bf746668bf070d5aa1c38910004c85fab1fb569bbfeb64a5b58f7fe5cc9cdebca2505d5fae1508d2109c193c9bfe4c65e36703f2da8f4a606b7dd5edb9162e202df27104c52e7f3dccf23cb64aa9ffe537fa06273ebfe210825eb8dfbcf9f02cae323600d8d0dadc0f7022775ea019bf7139f9ce915d344ebf5e4cde507ae8147a1717ab2d7bc5e76d23fc76741bcaae03f69d0960ed77e754217fd5699dbe295eafb9f8774023d0aca0ee219141c68047558277e6418e2aa61043dfaececfc5fc80f746ea90d8cbb249147769ab656b36bb20bc6a62473e1376f3bdf21d6140	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3056	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2124	2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2124	2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2124	2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	28
PID 2180 wrote to memory of 2124	2180	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	28
PID 2124 wrote to memory of 3056	2124	cmd.exe	30
PID 2124 wrote to memory of 3056	2124	cmd.exe	30
PID 2124 wrote to memory of 3056	2124	cmd.exe	30
PID 2124 wrote to memory of 3056	2124	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\oDkddrn.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.1
    3⤵
    - Runs ping.exe
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oDkddrn.bat

Filesize
371B

MD5
20913aa1697f219bcb40a621701edd01

SHA1
23ffdf72dbc1be8f0bc50da7972263bec2c3bdc4

SHA256
96daf5b5fb8eead37f037e63f2030fdebea0fd825ebd07d1a7f785ea99b9ce8c

SHA512
6069ef4a069dc5ebefbdf2c546c57f52eb18340eba3ce002588ca6963d8c52f3be6bcff209afe4dc7c6fcfbf4c19e8fe741257608ce7c73a8839800b753c21fb

Download Submit

Analysis

Sharing