cba4bd04fb347b98cd02e0a4f7dc99cf53b3888a86ba44e8c9995dd1c73738e9

General

Target

3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe
Size

254KB
MD5

3037588eebe0ef7a8ba9b6d370913d71
SHA1

150558e7588939ea24a5a3d2d48803ab745ae746
SHA256

cba4bd04fb347b98cd02e0a4f7dc99cf53b3888a86ba44e8c9995dd1c73738e9
SHA512

4d1676de035d23d0272a5dc62f412af658a30c1f8c8826778b32acf26932c1ab12125fbb30a94aaf9f63744a585289e674e3b177587807872e7efecc9c5c89ab
SSDEEP

6144:UzSA5+evPv5IZEU8FZ+k73biRBhh/mAlTBP1b:U1PSOnFQe3bUh5mmHb

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1253033689 = "C:\\ProgramData\\mskmbbvxu.exe"	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2540	msiexec.exe

Blocklisted process makes network request 28 IoCs

flow	pid	Process
3	2540	msiexec.exe
4	2540	msiexec.exe
6	2540	msiexec.exe
7	2540	msiexec.exe
9	2540	msiexec.exe
11	2540	msiexec.exe
12	2540	msiexec.exe
13	2540	msiexec.exe
15	2540	msiexec.exe
16	2540	msiexec.exe
17	2540	msiexec.exe
18	2540	msiexec.exe
19	2540	msiexec.exe
20	2540	msiexec.exe
21	2540	msiexec.exe
22	2540	msiexec.exe
23	2540	msiexec.exe
24	2540	msiexec.exe
25	2540	msiexec.exe
26	2540	msiexec.exe
28	2540	msiexec.exe
29	2540	msiexec.exe
30	2540	msiexec.exe
31	2540	msiexec.exe
32	2540	msiexec.exe
33	2540	msiexec.exe
34	2540	msiexec.exe
35	2540	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe
2540	msiexec.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe
2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe
2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3008	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2540	2944	3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3037588eebe0ef7a8ba9b6d370913d71_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Adds policy Run key to start application
  - Deletes itself
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-20-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-18-0x00000000000D0000-0x00000000000D6000-memory.dmp

Filesize
24KB

Download
memory/2540-23-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-22-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-21-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-19-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-11-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-17-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-16-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2540-12-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2944-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2944-0-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2944-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3008-6-0x00000000009C0000-0x00000000009D4000-memory.dmp

Filesize
80KB

Download
memory/3008-4-0x00000000009C0000-0x00000000009D4000-memory.dmp

Filesize
80KB

Download
memory/3008-3-0x00000000009C0000-0x00000000009D4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads