d2af49d8a378678080f6c440d04f1a9bb965c0b219a5fbd7b771e4a5fe3f9894

General

Target

fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe
Size

722KB
MD5

fc72a7bd9515e6b6a2cd12b05b3d06a3
SHA1

b6528f61722e0260193dedd7e940c5b5dc90c995
SHA256

d2af49d8a378678080f6c440d04f1a9bb965c0b219a5fbd7b771e4a5fe3f9894
SHA512

104fc6233e3c6d7c9786b2241f9b01887c7bdb3253a14864e5580a7c1425ce6e9352e2ce541f3aafbe94618bbd52e74809fed340544cbc98c376ed25edbc861c
SSDEEP

12288:FrWepO3JHRbDGDZZks7to54LoiQfF3Z4mxxQDqVTVOCS:76VRby7tQ4Lo7QmXnVTzS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2836	SERVER~1.EXE
632	windows

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\windows	SERVER~1.EXE
File opened for modification	C:\Windows\windows	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	SERVER~1.EXE
Token: SeDebugPrivilege	632	windows

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
632	windows

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 2836	4572	fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe	86
PID 4572 wrote to memory of 2836	4572	fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe	86
PID 4572 wrote to memory of 2836	4572	fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe	86
PID 632 wrote to memory of 3484	632	windows	91
PID 632 wrote to memory of 3484	632	windows	91

C:\Users\Admin\AppData\Local\Temp\fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc72a7bd9515e6b6a2cd12b05b3d06a3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2836

C:\Windows\windows
C:\Windows\windows
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
743KB

MD5
81fac696acbb26ae86e9c8a12a31cf0a

SHA1
805f2729ba1bff6cc1dabc06ace7b37616b9d860

SHA256
e8c4777435dca9689d65feedceba84f59f5d561efbbb7eeb5805dbef3b2b5d5d

SHA512
b5e07bbba91d1cc15b3995682e1b02b4d7044cecc15859c6b0c776444090f214f34f27297672654c9037f8fd62e48942241e74b96a5de81805741c11a7c64130

Download Submit
memory/632-45-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/632-41-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2836-42-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2836-38-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4572-22-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4572-26-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4572-9-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/4572-10-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4572-11-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/4572-12-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4572-13-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/4572-14-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4572-15-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/4572-16-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/4572-5-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4572-19-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/4572-21-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4572-0-0x0000000001000000-0x0000000001175000-memory.dmp

Filesize
1.5MB

Download
memory/4572-23-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4572-24-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4572-25-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4572-6-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4572-27-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4572-28-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4572-29-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4572-30-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/4572-31-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4572-34-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4572-36-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4572-35-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4572-37-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/4572-4-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4572-2-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4572-3-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/4572-43-0x0000000001000000-0x0000000001175000-memory.dmp

Filesize
1.5MB

Download
memory/4572-44-0x00000000008E0000-0x0000000000934000-memory.dmp

Filesize
336KB

Download
memory/4572-1-0x00000000008E0000-0x0000000000934000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads