22359a3347402e340e30b06ff9d121d4c44e6172b703ab346139ff90408c298a

General

Target

04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
Size

874KB
MD5

04536fe41066b68c61abda2f17c1ca98
SHA1

064b659ba03e8630a3aa7b89221406e8c287c0b0
SHA256

22359a3347402e340e30b06ff9d121d4c44e6172b703ab346139ff90408c298a
SHA512

ad475f63304227908146aae5a77d9e79f6d30995e8c627173a1d2e3e61ae734227701a4ae7095cc52371da9d1d02dd5d771661020b5d59d4b37d58db4aee5f5f
SSDEEP

24576:EeRMLKmtvPyHu7L1Qv0y9pNg4W7HM8VcN+2QHCrg:3iKmHyO6vmp7s8MQ9

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe

pid	process
1716	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
1716	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
1716	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
1716	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
1716	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
1716	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe

description	pid	process	target process
PID 116 wrote to memory of 1984	116	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
PID 116 wrote to memory of 1984	116	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
PID 116 wrote to memory of 1984	116	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
PID 1984 wrote to memory of 1716	1984	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
PID 1984 wrote to memory of 1716	1984	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
PID 1984 wrote to memory of 1716	1984	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe	04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Users\Admin\AppData\Local\Temp\04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04536fe41066b68c61abda2f17c1ca98_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x9CsT84App6sNMqTJ5X\extramod.dll
Filesize
73KB

MD5
f2efdab092ac3b4b4374a4bda1a04b4a

SHA1
cd7720e6af2d20f5831c2d47059ac5a4a09be6c3

SHA256
7a5178e711b16e5f0cca2b486f82718d177e6e24271efdfe8b896faff844b8cb

SHA512
c67ca84b185670128fa15312b714f930dfc811859ae4040b046783c013ebcd0527e96b906aa3cbace4bc379f6fdec08aae4bdc92999568bf9980a0b591180de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x9CsT84App6sNMqTJ5X\loading_screen.dll
Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
C:\Users\Admin\AppData\Local\Temp\x9CsT84App6sNMqTJ5X\lua51.dll
Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
C:\Users\Admin\AppData\Local\Temp\x9CsT84App6sNMqTJ5X\shared_library.dll
Filesize
200KB

MD5
ec2d78946b45ab0e31f30c96e7a525c5

SHA1
587d26b23629e5ef6af94119a71c0b4b0a42712c

SHA256
d109703e13f6dd5ec5cdff754179c3ad5cfc1d5b1e3082f03d9475cd3b6de4cc

SHA512
1a4eb1f109ecf8d7d525b7de0d1c481879307885447a41e8ecbc96c0ce7696f0a4827dc95c95018dc0e4d0416bd6cba7595dcaf29e2a18d9cfe0dbaa097a0c5a

Download Submit
memory/1716-20-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-22-0x000000007FE30000-0x000000007FE40000-memory.dmp

Filesize
64KB

Download
memory/1716-21-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-14-0x00000000007B0000-0x00000000007E6000-memory.dmp

Filesize
216KB

Download
memory/1716-19-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-18-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-17-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download
memory/1716-7-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/1716-28-0x000000007FE40000-0x000000007FE50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads