73e4ce6e3b6c1e9f92ea8bc8f7d65ff4df1e2ba6d78fad549caf4d226b6e26eb

General

Target

fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
Size

291KB
MD5

fe74e997a5467841f5b915450e9d89e4
SHA1

e6b1433edb9906c504f0a1afdf7132a825743b22
SHA256

73e4ce6e3b6c1e9f92ea8bc8f7d65ff4df1e2ba6d78fad549caf4d226b6e26eb
SHA512

c5b372907fe939e6f00c53dee2c0cc5d6c444cc161541c6a10e12e5ee5a9143a9d3fbd3dff648d772f713eea9f38c4370d782ba8f0fa855a3a0eaf9b8a3ea396
SSDEEP

6144:qseuhm7O/klr2tqahdbzI6cxVcw5BbE2CApcv2M1XjWLiiacHpdt:MuhmJao5PCACvrTOi9O

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sysdt.sys	winsmm.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DarkstSer\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll"	tempdir.exe

Executes dropped EXE 3 IoCs

pid	Process
2660	winsmm.exe
2580	tempdir.exe
2692	tempdir.exe

Loads dropped DLL 6 IoCs

pid	Process
2220	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
2220	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
2660	winsmm.exe
2660	winsmm.exe
2580	tempdir.exe
2604	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KMe.bat	tempdir.exe
File created	C:\Windows\SysWOW64\System64.dat	tempdir.exe
File created	C:\Windows\SysWOW64\System64.dll	tempdir.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	tempdir.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2660	2220	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2660	2220	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2660	2220	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2660	2220	fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe	28
PID 2660 wrote to memory of 2580	2660	winsmm.exe	29
PID 2660 wrote to memory of 2580	2660	winsmm.exe	29
PID 2660 wrote to memory of 2580	2660	winsmm.exe	29
PID 2660 wrote to memory of 2580	2660	winsmm.exe	29
PID 2580 wrote to memory of 2692	2580	tempdir.exe	30
PID 2580 wrote to memory of 2692	2580	tempdir.exe	30
PID 2580 wrote to memory of 2692	2580	tempdir.exe	30
PID 2580 wrote to memory of 2692	2580	tempdir.exe	30
PID 2692 wrote to memory of 1256	2692	tempdir.exe	21
PID 2692 wrote to memory of 1256	2692	tempdir.exe	21
PID 2692 wrote to memory of 1256	2692	tempdir.exe	21
PID 2692 wrote to memory of 2504	2692	tempdir.exe	32
PID 2692 wrote to memory of 2504	2692	tempdir.exe	32
PID 2692 wrote to memory of 2504	2692	tempdir.exe	32
PID 2692 wrote to memory of 2504	2692	tempdir.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fe74e997a5467841f5b915450e9d89e4_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\tempdir.exe
      C:\Users\Admin\AppData\Local\Temp\tempdir.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\tempdir.exe
        
        C:\Users\Admin\AppData\Local\Temp\tempdir.exe -Nod32
        5⤵
        Sets DLL path for service in the registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\KMe.bat
        6⤵
        
        PID:2504

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winsmm.exe

Filesize
225KB

MD5
c9685a9486c27d37f64fa2521f276d43

SHA1
3e88a8ada69f5d3b20cec12d731b0b7ecc5c8458

SHA256
90a3b7a01912dfdaadaa3cc786fcc18b3837f7330dbb515c295a467db759fe44

SHA512
58adc5a80abcfbce73d86f0c9da73e4527a83a2854aa337b14d0c29538e14c2fab32883712664323eef175200e696880b170578d02d5fc625bd8cd7993c07b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempdir.exe

Filesize
465KB

MD5
5e4dda7df4df581270f84feb503c1997

SHA1
a625dc8fc1549f6e859bf3d19b2a112728c0b1eb

SHA256
916a97987f7171a554de264a8c1786c92d41246073fa8f1a432882466dc125fe

SHA512
c890e85ae76602ff23c3a078f3c00a331a8ee8a2c70a624731a34eba278e1b427c1e2e909a904fc278ba2040974be27a5faae36fed59c9e92b951f18280b0cbc

Download Submit
C:\Windows\SysWOW64\KMe.bat

Filesize
61B

MD5
8f3848be53fc40fa7cfceea85e573d16

SHA1
f5e07757d091a4549c1b5163d2fa853a0199f55d

SHA256
165f6a63e2302b68389779848da0166e5412c53111722885719f616ef5e18b3b

SHA512
1ea3b4311bda4032fe5b3e4c1353c654a1d49dc0105f9af5cfee8dedf9ef1a3a1c005e71890bdc87e9ffcee31c4f787ba6f0968cdfc60aa0a7febbca93300577

Download Submit
C:\Windows\SysWOW64\System64.dat

Filesize
162B

MD5
c9f55e03623a1ea7f9bcbf13d205e32b

SHA1
4e9d1f218e21035c4d36fe1b1cb9ca1620dfaabb

SHA256
df0e39eedb54ca9eadfd2254e8b263169bc65387be7243a1793afb794c7e0981

SHA512
9f5da8106b9ac6cebad0cb67864052a86c044ba3c631bfa742ca9133c1a2f6f79ac3b286b03865ee32ba1089452c9b7fa3e486d1d4390b3586d0e83a5ecd0424

Download Submit
\??\c:\windows\SysWOW64\system64.dll

Filesize
357KB

MD5
a715478f4401f70db0b423b777e6bb1c

SHA1
6d1ce804cbe10f55147ea5207e9a7a4bf5090c7a

SHA256
af04167568ccd9c6700a5f825de9d1a02144cdef1ee651ab2d78c08dbc40a5bb

SHA512
0030f6ee04c39bed886d576061f7eb0f6ec60f2d7efd3066c48394b9990161e133d3248ec4ddaa5dcfb6c00de309c9d6e13029a4768acd620dba8cab962b4130

Download Submit
memory/1256-26-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2220-44-0x0000000001000000-0x0000000001115000-memory.dmp

Filesize
1.1MB

Download
memory/2220-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2220-11-0x0000000000DC0000-0x0000000000E72000-memory.dmp

Filesize
712KB

Download
memory/2220-0-0x0000000001000000-0x0000000001115000-memory.dmp

Filesize
1.1MB

Download
memory/2580-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2604-47-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2604-53-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-43-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-61-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-48-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-49-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-50-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-51-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-52-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-60-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-54-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-55-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-56-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-57-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-58-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2604-59-0x00000000001A0000-0x00000000001FF000-memory.dmp

Filesize
380KB

Download
memory/2660-23-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2692-38-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads