067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1

General

Target

1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe
Size

5.5MB
MD5

1f8187292660e4ab4a567f917ed5fee8
SHA1

832442b51532bff1a93b62e8a64509d81ea58294
SHA256

067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1
SHA512

be84f01f27898e933be08e5cbe75a2cdf976f5dc99876bf67171fb9c94b25863e41a823aef89ca52c3d87694ca4eb065425b1312a64baea78ca70de673a76330
SSDEEP

98304:gvSYro+waPiQjmjP028bc0TtJEJNx5DJXMWbD0nLWI9HJn6wz6+Ln7kr+qrRW6Ja:WpUwjmjc28Imk3jsymJn62t3UE6llYn

Score

8^/10

execution persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6BF52A52-394A-11D3-B153-00C04F79FAA6}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89820200-ECBD-11CF-8B85-00AA005B4340}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89820200-ECBD-11CF-8B85-00AA005B4383}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8A69D345-D564-463C-AFF1-A69D9E530F96}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp

Executes dropped EXE 1 IoCs

pid	Process
4592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp

Loads dropped DLL 2 IoCs

pid	Process
4592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
4592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2156	powershell.exe
2156	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 4592	1592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe	84
PID 1592 wrote to memory of 4592	1592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe	84
PID 1592 wrote to memory of 4592	1592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe	84
PID 4592 wrote to memory of 2488	4592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp	87
PID 4592 wrote to memory of 2488	4592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp	87
PID 4592 wrote to memory of 2488	4592	1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp	87
PID 2488 wrote to memory of 2156	2488	cmd.exe	89
PID 2488 wrote to memory of 2156	2488	cmd.exe	89
PID 2488 wrote to memory of 2156	2488	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\is-E6P1P.tmp\1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E6P1P.tmp\1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp" /SL5="$30240,5495633,56832,C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-ARH8V.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0n03acv4.aau.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARH8V.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARH8V.tmp\ex.bat

Filesize
786B

MD5
7c7413909ddd96fbecf604155f19f13b

SHA1
3dd52978d573d944ec52521ca84ba4a83130d6dd

SHA256
c26179762b4f04e158a0bf51611cfe11d468982a80b825db34dd474a4d820787

SHA512
04394a1e22c1d0b01b8c5e821fc2c6c96b5d13676f29b6cf0134187fcda8041a1e0d1188fe7b502d22093a5433c297efc29920bc8a76377afac6f16a782fb606

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARH8V.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E6P1P.tmp\1f8187292660e4ab4a567f917ed5fee8_JaffaCakes118.tmp

Filesize
693KB

MD5
160db79a135d5f5eb6e5f504ed4c38c9

SHA1
8ded92aa5a701cbea1b3d0ba64bce647bf89f008

SHA256
f6520eeff2df974d976fc2c7237536b69d238b5e462927565d539faf3a6fd82c

SHA512
6f1c9238de82db7596a9ac9052613c08c3a30af8b7e1a869333da7ca221ea5393a86088de4394ae408a9e2d4a792ad688f21df97066067195a2427d581642ebe

Download Submit
memory/1592-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1592-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1592-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2156-33-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/2156-41-0x0000000007880000-0x0000000007916000-memory.dmp

Filesize
600KB

Download
memory/2156-24-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/2156-25-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/2156-27-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2156-22-0x00000000032E0000-0x0000000003316000-memory.dmp

Filesize
216KB

Download
memory/2156-21-0x00000000734FE000-0x00000000734FF000-memory.dmp

Filesize
4KB

Download
memory/2156-26-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/2156-38-0x00000000063F0000-0x0000000006744000-memory.dmp

Filesize
3.3MB

Download
memory/2156-39-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/2156-40-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/2156-23-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2156-42-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

Filesize
104KB

Download
memory/2156-43-0x0000000006E30000-0x0000000006E52000-memory.dmp

Filesize
136KB

Download
memory/2156-44-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-45-0x0000000008B60000-0x00000000091DA000-memory.dmp

Filesize
6.5MB

Download
memory/2156-48-0x00000000734F0000-0x0000000073CA0000-memory.dmp

Filesize
7.7MB

Download
memory/4592-16-0x0000000003A40000-0x0000000003A7C000-memory.dmp

Filesize
240KB

Download
memory/4592-8-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4592-52-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4592-53-0x0000000003A40000-0x0000000003A7C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads