d52f08143e2a16dda2e98d32c7cac55c2480ff17608bc5e7a379a8a7d93f9462

General

Target

f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
Size

459KB
MD5

f825b0adf05397e2fbde6de1b4a0efe5
SHA1

1f9913efa61fe91ae689a8ab2e05b4fe75561bc7
SHA256

d52f08143e2a16dda2e98d32c7cac55c2480ff17608bc5e7a379a8a7d93f9462
SHA512

22a4603bce486639ac69c9bbc5865038ec5c055bc214cc9b4d636fc9c9b2f951dd5e4b096406efad77e7368841615c73aecac9fe226bd3bfbb9dc36fe81dfea5
SSDEEP

12288:zYc5w8vqTs1PQrr5tPrdA8goawgHQh+g:zYc5wrTs1PQr7jPgZbHdg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2144	uE1ii9Y.d
1220	Explorer.EXE
2656	wininit.exe

Loads dropped DLL 3 IoCs

pid	Process
2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
2144	uE1ii9Y.d
2656	wininit.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Explorer.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\lz_scby.txt	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lz_scby.txt	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mHP4F67\	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File opened for modification	C:\Windows\SCBYQDLP\	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File created	C:\Windows\SCBYQDLP\sc07528.it	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File created	C:\Windows\mHP4F67\rJsiJw6.dll	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File created	C:\Windows\mHP4F67\gcANPn5.dll	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File created	C:\Windows\mHP4F67\fZhK549.d	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File created	C:\Windows\mHP4F67\uE1ii9Y.d	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
File created	C:\Windows\mHP4F67\wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	uE1ii9Y.d
Token: 33	1220	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1220	Explorer.EXE
Token: 33	1220	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1220	Explorer.EXE
Token: 33	1220	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2144	2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2144	2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2144	2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2144	2028	f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe	28
PID 2144 wrote to memory of 1220	2144	uE1ii9Y.d	21
PID 1220 wrote to memory of 2656	1220	Explorer.EXE	29
PID 1220 wrote to memory of 2656	1220	Explorer.EXE	29
PID 1220 wrote to memory of 2656	1220	Explorer.EXE	29
PID 1220 wrote to memory of 2656	1220	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f825b0adf05397e2fbde6de1b4a0efe5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\mHP4F67\uE1ii9Y.d
    C:/Windows/mHP4F67/uE1ii9Y.d /runp2p:C:/Windows/mHP4F67/gcANPn5.dll
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
- C:\Windows\mHP4F67\wininit.exe
  C:/Windows/mHP4F67/wininit.exe /R0001:C:/Windows/mHP4F67/rJsiJw6.dll
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SCBYQDLP\sc07528.it

Filesize
284B

MD5
a2afd22054b055cdadbb2330fabe7925

SHA1
419b2beb692f53fcfe2da5e2b93afc0bb7d58cb1

SHA256
a08896663481bc64f36db1cfba0367018e3b57443cafc540d50394efc1829442

SHA512
dc5fbc3c11acdd8b9d28488473edc6fd683b8f9ace8eb80f707b9348aea9100f914e8a0520341ec07086476a39cea2e37f9516df5fdd1e0e4a3233bba5fc73a9

Download Submit
C:\Windows\mHP4F67\fZhK549.d

Filesize
56KB

MD5
05905397de2af7a0452d9f9258e66a11

SHA1
060f5c8b2f496945acb5972908d577079d9bac56

SHA256
f9d4331ef5a4889d5e998ea0fdc9aeaf6e8dbeb1e63da17f436aa72ee1d11b63

SHA512
a65c33f9c7b53dcdf8a5a76afdfcbdd60f30902e56ad6a8b8e2d665f7fe1ea71a8f4648f38f10a1bff7ce34a4e8cfaff0dc61788bb325f5a4d48e7f6031927a0

Download Submit
C:\Windows\mHP4F67\gcANPn5.dll

Filesize
277KB

MD5
4520642b22537cb44885df54c9e3c892

SHA1
773fe7cf22d8deebfeac663cfaa92c0510417a46

SHA256
ed1cab9569bf10c68f68d51902171fb62950d2e712a509a7df32ccd7a6ae7301

SHA512
cc7b0b1637936ffab4f45bef7cd12afcb3d8665f41144577ec7497007e923504f67ae063f54537717428719b05ef5d822c18abe582b0ea2b42c40926f86c045b

Download Submit
C:\Windows\mHP4F67\rJsiJw6.dll

Filesize
235KB

MD5
8c835ad5666f11d9ede22a051e0971fc

SHA1
50273d6087ae4ec26959ca928c43855bd1b1e37c

SHA256
f0ced799f693062ca4d52e3a3d076b9414425a27262f24ac4f3468c01fc78aa0

SHA512
49d3debd17027476c8494c2ec944784273cd19c9f5eeaffd4cfeeb3810d8123915839840272a0cbe6479d7afb0ac184974d63baea6e3be088037ef6bd999d3f1

Download Submit
C:\Windows\mHP4F67\wininit.exe

Filesize
56KB

MD5
7b75a3a10195f3cdb2a7204c7bfc1646

SHA1
fcfad42806e55e12b41a626e703532ec36f88973

SHA256
9525a09f5faed3e54fcf34db93439ed18782d8cf1d62a573e474087eb055b096

SHA512
cc427ac1bf623618ed360743e664e58f66cc8c3bd151e3c54d3dced9bb1f1422c6313aa130d4707ebc6cd21789f739afb4b3e21aa039f3c0e645643a7bc78f01

Download Submit
\Windows\mHP4F67\uE1ii9Y.d

Filesize
56KB

MD5
ca9d739f8de268366481d469af11b504

SHA1
cce06c08fc28cd3c6b03d1bc73d83262b4f2f92a

SHA256
377fef90bc28923a0783322feded81624ef52b84864b947809c236e85f93ff55

SHA512
3177ce8c4a878fb6f7ec563688ee377ebf4acb8caaed8acce2eb182bf89e2a34d21ebc4c42eeb28ee7b922fd5621001210d845293456e4251e96f3aeb136f991

Download Submit
memory/1220-32-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-35-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-21-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-24-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-40-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-17-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1220-41-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-28-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-42-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-20-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-36-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-37-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-38-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-39-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/1220-43-0x0000000002E40000-0x0000000002E8B000-memory.dmp

Filesize
300KB

Download
memory/2028-14-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2028-2-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2028-3-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing