bc64ad45f156496dab5f38b4d6810dd3276ccb43a639e979fa2a71f370f78aad

General

Target

433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
Size

931KB
MD5

433dd4dce13e86688a3af13686c84d1c
SHA1

69ceb568484e6436b50b067f041f383acab22870
SHA256

bc64ad45f156496dab5f38b4d6810dd3276ccb43a639e979fa2a71f370f78aad
SHA512

45f933fd991bfedaab8b1fd19d41e22432f328abb5606aa04dc9cff43bf088fc1a674c156be95bd0aa452334b96e6ab6cd1105431abd27e6d03bbaa42aef47d7
SSDEEP

24576:LQgPByJzhAfD7MjzlR7W/BdT5r4fPn9OvRSWz4r:LQgZ0z0MjHC/Bdu39OvAWz+

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Drops startup file 1 IoCs

Processes:

lsass.com

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghost.url lsass.com
Executes dropped EXE 2 IoCs

Processes:

lsass.comlsass.com

pid process

3416 lsass.com
4428 lsass.com

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghost.url	lsass.com

pid	process
3416	lsass.com
4428	lsass.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3080 PING.EXE
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

lsass.comlsass.com

pid process

3416 lsass.com
3416 lsass.com
3416 lsass.com
4428 lsass.com
4428 lsass.com
4428 lsass.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

lsass.comlsass.com

pid process

3416 lsass.com
3416 lsass.com
3416 lsass.com
4428 lsass.com
4428 lsass.com
4428 lsass.com

pid	process
3080	PING.EXE

pid	process
3416	lsass.com
3416	lsass.com
3416	lsass.com
4428	lsass.com
4428	lsass.com
4428	lsass.com

pid	process
3416	lsass.com
3416	lsass.com
3416	lsass.com
4428	lsass.com
4428	lsass.com
4428	lsass.com

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.execmd.exelsass.com

description	pid	process	target process
PID 5036 wrote to memory of 3992	5036	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 5036 wrote to memory of 3992	5036	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 5036 wrote to memory of 3992	5036	433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe	cmd.exe
PID 3992 wrote to memory of 1136	3992	cmd.exe	certutil.exe
PID 3992 wrote to memory of 1136	3992	cmd.exe	certutil.exe
PID 3992 wrote to memory of 1136	3992	cmd.exe	certutil.exe
PID 3992 wrote to memory of 3416	3992	cmd.exe	lsass.com
PID 3992 wrote to memory of 3416	3992	cmd.exe	lsass.com
PID 3992 wrote to memory of 3416	3992	cmd.exe	lsass.com
PID 3416 wrote to memory of 4428	3416	lsass.com	lsass.com
PID 3416 wrote to memory of 4428	3416	lsass.com	lsass.com
PID 3416 wrote to memory of 4428	3416	lsass.com	lsass.com
PID 3992 wrote to memory of 3080	3992	cmd.exe	PING.EXE
PID 3992 wrote to memory of 3080	3992	cmd.exe	PING.EXE
PID 3992 wrote to memory of 3080	3992	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\433dd4dce13e86688a3af13686c84d1c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd /c <nul set /p ="M" > lsass.com & type ffXi.com >> lsass.com & del ffXi.com & certutil -decode adCt.com R & lsass.com R & ping 127.0.0.1 -n 20
2⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\certutil.exe
certutil -decode adCt.com R
3⤵
- Manipulates Digital Signatures
PID:1136

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
lsass.com R
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com R
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
3⤵
- Runs ping.exe
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\R
Filesize
250KB

MD5
53a116d2b8ab11b92b293b4ad18cc523

SHA1
a4726d5f751271a8ef9f50c343249b3e97f91cc8

SHA256
f49fd869ebc412d9bd65b96330652ff1aea58d287a06f6b5c8a02ba442fd4d22

SHA512
e8f3eac4532041823b0362d84d591ce815aa55090d44ed18ac567ba17559b051e5b0c6d66ce6b0af2b22c11d90289cf96855ca51abcb4c5d5297fd7ce656e6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\adCt.com
Filesize
344KB

MD5
608d98351812a3c2c73b94a6f5bef048

SHA1
edbdd9e0608abc2abf531bb42423a68a22349bd8

SHA256
4a17468fec26c6b95fd7d2365eae99cbc875ac5d0b34cbeff373b2ca15238884

SHA512
e24874e67f15d04ab8594591c92236d93a2f2212002ca3354ca8fbeedd90b524737f8603837c1858d19505b1b85edd8809cd1d6a3f263043740aecf042b34a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bzYfp.com
Filesize
332KB

MD5
340f2664d7956a753d8ea2fa5c0044ff

SHA1
0134773b0534c94f62edea2302d0efe020addc25

SHA256
956eba9bc654807eaaf15438024f0485d62fa35fcaabfe1bcc8fbf6668275c63

SHA512
3e9dae031e34a33aed97a1b331748a2bdf99862e13f94057aa8d32986e0db9748592300ca3639fe3f36fd439768510b7ea587775faa89991ff79eeda2e6e2997

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ffXi.com
Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lsass.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads