5ac88b55e64f5190d922a40223fb6c19a81eb6140a80d6921c6e3f9f50d3ce48

General

Target

251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe
Size

2.1MB
MD5

251e358132eb0da4c2678122f4e7bc54
SHA1

48f4b322e926de7da257341672acdfcd3e9e9265
SHA256

5ac88b55e64f5190d922a40223fb6c19a81eb6140a80d6921c6e3f9f50d3ce48
SHA512

c65bd5313c3267497879441cad984e1fed38091e34b4a4a005872c98c1bcd06a5dcb988ffcca74718357176e664c925a8249b7fddca1d645f4f19650807c543b
SSDEEP

24576:h1OYdaOaqU2Uzf57ilCfBJyRWSb8iDBXEZc78KU88SehrUzcf:h1OsMqBI57ilCf+Ysv2hrMC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2760	WtEZE3j5JfEwBhO.exe
2480	WtEZE3j5JfEwBhO.exe

Loads dropped DLL 4 IoCs

pid	Process
2896	251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe
2760	WtEZE3j5JfEwBhO.exe
2760	WtEZE3j5JfEwBhO.exe
2480	WtEZE3j5JfEwBhO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FPIVUM.tmp\\WtEZE3j5JfEwBhO.exe\" target \".\\\" bits downExt"	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.aHTML	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.aHTML\OpenWithProgids	WtEZE3j5JfEwBhO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.aHTML\OpenWithProgids\__aHTML	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML\shell	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML\shell\Edit\command	WtEZE3j5JfEwBhO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.aHTML\ = "__aHTML"	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML\shell	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	WtEZE3j5JfEwBhO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML\shell\Edit\ddeexec	WtEZE3j5JfEwBhO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FPIVUM.tmp\\WtEZE3j5JfEwBhO.exe\" target \".\\\" bits downExt"	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\SystemFileAssociations\.aHTML	WtEZE3j5JfEwBhO.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML\shell\Edit	WtEZE3j5JfEwBhO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\__aHTML\shell\Edit\command\ = "Notepad.exe"	WtEZE3j5JfEwBhO.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2480	WtEZE3j5JfEwBhO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	WtEZE3j5JfEwBhO.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2760	2896	251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2760	2896	251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2760	2896	251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe	28
PID 2896 wrote to memory of 2760	2896	251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe	28
PID 2760 wrote to memory of 2480	2760	WtEZE3j5JfEwBhO.exe	29
PID 2760 wrote to memory of 2480	2760	WtEZE3j5JfEwBhO.exe	29
PID 2760 wrote to memory of 2480	2760	WtEZE3j5JfEwBhO.exe	29
PID 2760 wrote to memory of 2480	2760	WtEZE3j5JfEwBhO.exe	29
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30
PID 2480 wrote to memory of 2948	2480	WtEZE3j5JfEwBhO.exe	30

C:\Users\Admin\AppData\Local\Temp\251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\251e358132eb0da4c2678122f4e7bc54_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\WtEZE3j5JfEwBhO.exe
  .\WtEZE3j5JfEwBhO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\FPIVUM.tmp\WtEZE3j5JfEwBhO.exe
    "C:\Users\Admin\AppData\Local\Temp\FPIVUM.tmp\WtEZE3j5JfEwBhO.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\PueyRmP0VaZtwW.x64.dll"
      4⤵
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\PueyRmP0VaZtwW.dll

Filesize
863KB

MD5
d1f69422801ce1843c4513901ee2099a

SHA1
389708e6f2a4e140e907f1c0d04be40dc238ec80

SHA256
65f7a745834012968968d2ca2bc1abb954d9c25f6ff763e550d50c1f33963574

SHA512
2e9391411ae9cabfec54099a0b18279f582060d2519d3cdb8e018ad9a4ad57ba66d2e5474f36fbdca81ed76ee7adfc1d12ec377c146f845a0c6db1735cfda164

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\PueyRmP0VaZtwW.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\PueyRmP0VaZtwW.x64.dll

Filesize
945KB

MD5
7c53c4c64bc98a20452fd4d8c878712b

SHA1
9a4fad92518504f0802cb697ac80d44b2065ca25

SHA256
276f71de5199498172ec05b725581a4092c13e2ccc20f9e041ce3ffef6b21b9f

SHA512
4f575942a0af07927f6b08458a90b2c72b0514d9e71ab2e2fdea54d3fa6bb2a2534a7518ef01988bb478b63509ac75c55f41c7c27aac1f022b03e24463eed1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS197A.tmp\WtEZE3j5JfEwBhO.dat

Filesize
15KB

MD5
b73b235b7ea2f25df503b85150c51103

SHA1
4b1d509cde9555e855b8d77dcbbb9070edd6868d

SHA256
7d8cc642d3ad182898a1aa1f96e33ca848445a892839e93bdaf2661188ace5b6

SHA512
e55b5ab62cdbc404b74fa07f2f41722c6cb1e7c95b3484986a3f505877b6e193ef229bc5fcc7ce3a87a8e4ddf17ec80058546d0ee18b7bbec71d656e47c4c5e3

Download Submit
\Users\Admin\AppData\Local\Temp\7zS197A.tmp\WtEZE3j5JfEwBhO.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit

Analysis

Sharing