9b41869864670c3a60f9774169f3af245838536d741d275e510359cafcaf81dc

General

Target

f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
Size

620KB
MD5

f83b3c4601ca3fa937c761a492816fcf
SHA1

a826898a423b67e26fc2b7587689dbd69b118db8
SHA256

9b41869864670c3a60f9774169f3af245838536d741d275e510359cafcaf81dc
SHA512

1b7bf34c1313eb754bb2e5ef85039e8092b421f4ca9110b94a199288ca0ac070f4fdd20f0db9f96d6e5c3eb733976386514e993effae3ee46df31210d89f9049
SSDEEP

12288:zj+BuagU0y60p1u8lES1PBD7aJOth+no0Ukhf/kGIQy:/+BIU0GO8lEEPN75tSBlf/TIQy

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\mspci.sys	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B\Blob = 030000000100000014000000d8c7019bd363cea27d25594a5517bd6a5225e04b2000000001000000d6030000308203d2308202baa003020102020100300d06092a864886f70d0101050500308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e301e170d3038303732353033313432315a170d3238303732303033313432315a308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d29becc60b5391e3db6292a31b911ac3f3dbd1895bf1dde238ef7f89d5d366f8c099b973878a9a2548e9eefb25b417328629943feec5fcb3cb4568d6ce8966fdba88576e82ec41f5beb8f9e5db2e5fda9fae0b829116c6f052d2bffcab79d5ca7979ed758fbed8d68689f3d84bfdcc3d964b024391a2e544cbd8ef8772d44a72034c4e36290b9ea46b036448c52e4f4b2dd0fc722eae20a4957af2b2b5bc865d139bb6bd98622c6cb51fc453db26afd6fb1caf3c03483e17f04e2f471b7ccba2c1e5bff9bfe9c6986ba2d5501c35c69342bfbd75e8b0a1a6e4df5d87b55814a51fcfc88ec2737f6ce128270b4f50822255473fea1871d69e30edd9f8c37d82a10203010001a3553053300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604148077abe4ae125c8c9ea2e1b390a509944e3b5105301106096086480186f8420101040403020204300d06092a864886f70d010105050003820101003c95b3597084897b3dcdbeac0aa1b682d2329fc1b0cf8c613f18b1b436b65d97bf746668bf070d5aa1c38910004c85fab1fb569bbfeb64a5b58f7fe5cc9cdebca2505d5fae1508d2109c193c9bfe4c65e36703f2da8f4a606b7dd5edb9162e202df27104c52e7f3dccf23cb64aa9ffe537fa06273ebfe210825eb8dfbcf9f02cae323600d8d0dadc0f7022775ea019bf7139f9ce915d344ebf5e4cde507ae8147a1717ab2d7bc5e76d23fc76741bcaae03f69d0960ed77e754217fd5699dbe295eafb9f8774023d0aca0ee219141c68047558277e6418e2aa61043dfaececfc5fc80f746ea90d8cbb249147769ab656b36bb20bc6a62473e1376f3bdf21d6140	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3820	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4928	3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	86
PID 3528 wrote to memory of 4928	3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	86
PID 3528 wrote to memory of 4928	3528	f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe	86
PID 4928 wrote to memory of 3820	4928	cmd.exe	88
PID 4928 wrote to memory of 3820	4928	cmd.exe	88
PID 4928 wrote to memory of 3820	4928	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f83b3c4601ca3fa937c761a492816fcf_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72aiKTZ.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.1
    3⤵
    - Runs ping.exe
    PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\72aiKTZ.bat

Filesize
371B

MD5
53d001bd4b225ffa6b973b470d2024c1

SHA1
7e597b52397553c83e593fa5f036b9e53205382a

SHA256
5c17094d7ceb8e9e62d05f7269303bc44a707bdfa3c513226ab8d8b064b19645

SHA512
d5475f7416f90ea914778829736b70c047ae6ee40df29b5d039e9713a2b0621fa4630880cbd1d9e3c7d88fef23c085d917e51ba67a249af4df6478ba2933affb

Download Submit

Analysis

Sharing