23d007f4a55144ca9e1a61386f317a5bdf60e575f05c53b3a13a277d6fc44fac

General

Target

17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
Size

875KB
MD5

17e85f8a7b15ff08e947c22e07d86ef4
SHA1

f1c74495d3a02243da76f69631d570af35bc075b
SHA256

23d007f4a55144ca9e1a61386f317a5bdf60e575f05c53b3a13a277d6fc44fac
SHA512

ada83b2f1547a1e67cc72451bf23b4f53dc53e6b4440ce045b551a79d65578a7a6addef8ddbb2a00177194ff8e9561e2d2ca6668ed1303918b1ecb405aa2dc67
SSDEEP

24576:7GMLKmtvPyHu75iNZI3+Oy9pNg4W7HM87cN+2QHCKJ:SiKmHyOo3Iuwp7s8iQx

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2564	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
2564	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
2564	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
2564	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2720	2220	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	28
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2564	2720	17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\17e85f8a7b15ff08e947c22e07d86ef4_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ADVlHcTWkRPJktXDlY9\extramod.dll

Filesize
73KB

MD5
c5ea5856e9a3ca0366a7a3c42787007f

SHA1
da54ee91d6f57861b35825509fc6e6c8285eae16

SHA256
b564022e08366c99e3cdd52409b949f4325f244065e12e59d33a8db4d020c32e

SHA512
34fdfd9cadbc5d0e25e67724a1f91930e6664946c6900f1aa39e88757eb80bc8ac8b2df9060c7b6512ea817b9d515a25301fe273c77f699df027d122c2cd71bf

Download Submit
\Users\Admin\AppData\Local\Temp\ADVlHcTWkRPJktXDlY9\loading_screen.dll

Filesize
5KB

MD5
44dac7f87bdf94d553f8d2cf073d605d

SHA1
21bf5d714b9fcab32ba40ff7d36e48c378b67a06

SHA256
0e7dedad1360a808e7ab1086ff1fffa7b72f09475c07a6991b74a6c6b78ccf66

SHA512
92c6bf81d514b3a07e7796843200a78c17969720776b03c0d347aeefedb8f1269f6aac642728a38544836c1f17c594d570718d11368dc91fe5194ee5e83e1774

Download Submit
\Users\Admin\AppData\Local\Temp\ADVlHcTWkRPJktXDlY9\lua51.dll

Filesize
494KB

MD5
f0c59526f8186eadaf2171b8fd2967c1

SHA1
8ffbe3e03d8139b50b41931c7b3360a0eebdb5cb

SHA256
6e35d85fe4365e508adc7faffc4517c29177380c2ba420f02c2b9ee03103d3f6

SHA512
dccd287c5f25cac346836e1140b743756178d01cd58539cf8fac12f7ae54d338bfb4364c650edb4d6018ef1f4065f7e9835d32fd608f8ae66c67a0ffd05e9854

Download Submit
\Users\Admin\AppData\Local\Temp\ADVlHcTWkRPJktXDlY9\shared_library.dll

Filesize
200KB

MD5
b968bde5426919255a6838fcd12a2b4e

SHA1
40654218d6aa0fc0658c7156e4d5f46853dfd80b

SHA256
d798ab6c4f71a10eeaf19b85d1d02013c84e6d77e63a9a6a4f8b4841337c8aa9

SHA512
390ef8861b9b3e5e12598ab25d9c0a824ad155aed2079a704d1d6c97174b36c8821b6ae00d5f0d492e522270d7055276fe8287b0ede118a3a37b5bcfd655a7d9

Download Submit
memory/2564-15-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2564-13-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2564-10-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/2564-17-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2564-16-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2564-14-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

Filesize
64KB

Download
memory/2564-18-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2564-5-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2564-24-0x000000007EF00000-0x000000007EF10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing