cdcb4acee9f2fdc2468c56f7786bfa642a3fe122ba0ce812d94a7defa353bf1d

General

Target

fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
Size

148KB
MD5

fff6b172d80154c93ecb61a00f17c26b
SHA1

37cbaf9dfb6b5e1da9aa86f7687b3c51d31f2442
SHA256

cdcb4acee9f2fdc2468c56f7786bfa642a3fe122ba0ce812d94a7defa353bf1d
SHA512

97d97c8d4be103c74bd5837cd7e6cd130ee1d1af0ae2d31f51b95c4a8200cecc328e1c2335e750db516b11af9f425e00f356cef767eef92ee7283716c114a4b0
SSDEEP

3072:SLjeGZhA5qdE3rVtbYDA4R5M1EX/+MSkBXKl6IF8rIEtrwMMKj+ktcepV1J:S/FZhZE3rTM0qGMpwl6x1j+ktcE

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2688 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Explorer.EXE

pid process

1404 Explorer.EXE

pid	process
2688	cmd.exe

pid	process
1404	Explorer.EXE

Loads dropped DLL 8 IoCs

Processes:

fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exerundll32.execmd.exeattrib.exe

pid	process
2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
2388	rundll32.exe
2388	rundll32.exe
2388	rundll32.exe
2388	rundll32.exe
2688	cmd.exe
2504	attrib.exe
856

Drops file in System32 directory 2 IoCs

Processes:

fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\convtvol.dll	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\convtvol64.dll	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe

pid process

2040 fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exerundll32.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 2388	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	rundll32.exe
PID 2040 wrote to memory of 2388	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	rundll32.exe
PID 2040 wrote to memory of 2388	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	rundll32.exe
PID 2040 wrote to memory of 2388	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	rundll32.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2040 wrote to memory of 2688	2040	fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe	cmd.exe
PID 2388 wrote to memory of 1404	2388	rundll32.exe	Explorer.EXE
PID 2388 wrote to memory of 1404	2388	rundll32.exe	Explorer.EXE
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe
PID 2688 wrote to memory of 2504	2688	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2504 attrib.exe

pid	process
2504	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1404

C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\system32\convtvol64.dll",CreateProcessNotify
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259415357.bat" "C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe""
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\fff6b172d80154c93ecb61a00f17c26b_JaffaCakes118.exe"
4⤵
- Loads dropped DLL
- Views/modifies file attributes
PID:2504

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259415357.bat
Filesize
75B

MD5
51fd65d49c0ad14de3b504af1683a279

SHA1
d495221ef492e0457f5972623c7aa395aac44e65

SHA256
585c367c364090017168b1080c8e8600bdb325b089c886f130dbf71a3ccf7ef2

SHA512
8f8c411629db44b7bec3d975efa654a166ca85eeea92f46942b4d63c5f2d42720e688e3b4476fa6050329a238e8dc9800777fe78f1e31abcb90b4f3277db9443

Download Submit
\Windows\SysWOW64\convtvol.dll
Filesize
43KB

MD5
ffccde52bfbad88e43c56e425a913996

SHA1
9dade48adf8ea9cc6e13d8bdc473f131ae0e7ec1

SHA256
48026197f45c2ee8abd943a6bff799087536c983a9b5afb561461ab2889ff8d4

SHA512
5da81bd9f4a1bcb213cc452aece9f98736ab034095aa715d664a58404503136a6f5bacf819c824a4e6bdc3dbb6f7d43f998e43f3ad1f9adc67e3fcc3ebfb3f97

Download Submit
\Windows\System32\convtvol64.dll
Filesize
51KB

MD5
7f52a76d671b0557f5b03117457d9c9d

SHA1
d9eaacf86d66e5955b8368f800dc7e1b3e9a50f6

SHA256
5b2b6ed2988538d3372697164455f6275bed1e8e04ba2da2d91fabf255d869e1

SHA512
8229211e8d96107feef91f23a98f0e365da1ce73eb7e6afa876ec958eaf786beb1a8f386720e23407cd7b29d956e9cf48fa232dc08652be1b5b4b35377207f20

Download Submit
memory/1404-34-0x0000000180000000-0x0000000180012000-memory.dmp

Filesize
72KB

Download
memory/1404-29-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2040-7-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2040-0-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2040-26-0x0000000001000000-0x0000000001027000-memory.dmp

Filesize
156KB

Download
memory/2040-28-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2040-6-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000001000000-0x0000000001027000-memory.dmp

Filesize
156KB

Download
memory/2388-14-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2388-22-0x0000000180000000-0x0000000180012000-memory.dmp

Filesize
72KB

Download
memory/2504-40-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2688-23-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2688-41-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads