ab3e4f1244221a33e4995c6bad5e84a5533c633e7efa51c61fd958803ac5ec14

General

Target

65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll
Size

1.4MB
MD5

65be5073c6f4834d3d1c73594d97b75d
SHA1

06c6bc46067313ccaf0d0dad517f5f216f46b4be
SHA256

ab3e4f1244221a33e4995c6bad5e84a5533c633e7efa51c61fd958803ac5ec14
SHA512

a1f333d5001246ce6443d2203b31af97bc946326453680dd5d5c4f8c9c60ca473f844a1ee565b56ccc618434c794d449aa4f618604ee9a1b227e6203be8310c9
SSDEEP

24576:651RzX5yRZj474urTiFDhRj5m6tYFyIG4SN6u0QHsBQ4oxKy1fumXF:DZj474GOdcG76u0QMBQ4ox5umX

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1692 created 432 1692 rundll32.exe winlogon.exe
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

5 1692 rundll32.exe
7 1692 rundll32.exe
9 1692 rundll32.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2960 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	pid	process	target process
PID 1692 created 432	1692	rundll32.exe	winlogon.exe

flow	pid	process
5	1692	rundll32.exe
7	1692	rundll32.exe
9	1692	rundll32.exe

pid	process
2960	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\DISK\ENUM	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	rundll32.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1304 timeout.exe
2636 timeout.exe

pid	process
1304	timeout.exe
2636	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572\Blob = 030000000100000014000000fa47ef9f4168443796e2a534a90d9d36c1c185722000000001000000cd030000308203c9308202b1a003020102020900d98308e45f1730f5300d06092a864886f70d01010505003065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c61796572301e170d3138303132323131353631375a170d3438303131353131353631375a3065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c6179657230820122300d06092a864886f70d01010105000382010f003082010a0282010100addc4d3e91686c4409bc81594db895497f51ba4391d1cdd3a5f023b7b5b7386f03863ff8af25814b0b2d7de511bb4515936cad031e20a2be99c04b1ec2b21a6bd8f107b3ed9d67d1c455f2f6854c7e8310ac0ef014ff69119bb60f87a61dc4f40a49b62eb1af5493076cb90d736afe8aa9b3a80fe17818a95ffe33adfc2c0492437144c8edd4c2665c2172bc69bb3be29164b96550bc62e6dcb18fc71c795f2d1922ff394b095c02643e2859c75d9aa3121d6f6b22c785730ed45f66bef0acbda739ab1ff60e4cba43bed235fe6b979d1c0422b60068422c86945c6594854301e58ab2a2fb49121675b15c1c7793476093d3da84702e637a691ababf0268e58d0203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101005114df932c65ef49a656d1315aabaea70d75c696ae6060766818ed0dc95ee86d99ec858118e7727ac355ad5f71e98e210b89ec87cccacee7ca1146aba9537a08b1d8f8543a700c4f5c895eb81b9681438deaa8905cd0852209dab68baa845bb3d56159e6b2463f11f7a5936bbc887841d75ccb09401be88581a079d49236a37dcbe8a3fc538293a6d4842db85ec8be5faa9bafc453de3be56f8d0bb73a79c193d78bec90ed22b54151a9a42051d9d102c75bce07be4bb4273bc117ba2e47b544d3e656adaa88ccea61274dde5a966df5212270ca2f3fb025ef2cf6938caaa9fc7a4dbc214a2ced10b44740dd2d7449772849fd4806e594c19586089f6a56f7bf	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E\Blob = 03000000010000001400000026d9e607fff0c58c7844b47ff8b6e079e5a2220e2000000001000000fd030000308203f9308202e1a003020102020900b6e1abf38b9ab41a300d06092a864886f70d0101050500307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d65301e170d3134303732333137323531355a170d3434303731353137323531355a307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100be81e2dbe640e8c8a9e76c999ef6e0c46742128d3d0474d43d2849abf5149c8294cf2fb58de6bc42b190042de09615a65e6a5a13b3cd9c5db30d6cb92b8776842df83410d8516064c11ffb80aba7ca30a5f2a7c314a1ce63d4a02a595ba97b0a11d23466cbfc2356413ed7be195bd838cc79293620f376adc5b3130b538128903b41879fba875df7df874e5d88be90c9fd1e5a9c16579f28e26c59c8616de1acbf052bf74711a0382b7c6c8a7aab31a65767bba43585ff4d7c14ceceb096f92accc2059fdae11c12c3be346f1e35e21cd90598f223a6ecc40e601af56e5f60ef694cbcdc03b2ac0dbd8fa65467cedccb2f46bce1339520a963394a35e56ab7870203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101008b5c1a22ece724034f3fd5be07c19a706a076ecbdc9d799800dc1cef121b7cc1e3219de83111ef7b7a25cd677079c85a94cebd99ddeb21d6eb3afda74f3bcbfd8d7d25da45581310ae6321c41d88b245102c060edb76875faea630f56daa88b17e811cf3f6dabee21a56f281e826b7e2d8499eb622cba18b498749de17300b36341e9cb2c76cf952429706bf4743841c7f6d4ef8e0e96dcdd905de86b8161c446f7b387d76744a16ecd1f2813933669cb9fee2ed52f3a25e5056a9d0f2dc9eeadf85352caedf013f1deca04331a3df29b83221a09e65263a94af9652c5871acbff896936af81372731bcad9fd3ce4db1c057c2c7c54997b879fcfb0b8325429a	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

rundll32.exe

pid process

1692 rundll32.exe
1692 rundll32.exe
1692 rundll32.exe
1692 rundll32.exe
1692 rundll32.exe

pid	process
1692	rundll32.exe
1692	rundll32.exe
1692	rundll32.exe
1692	rundll32.exe
1692	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1692	rundll32.exe
Token: SeDebugPrivilege	1692	rundll32.exe
Token: SeDebugPrivilege	1692	rundll32.exe
Token: SeDebugPrivilege	1692	rundll32.exe
Token: SeDebugPrivilege	1692	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1692	1832	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 1964	1692	rundll32.exe	regsvr32.exe
PID 1692 wrote to memory of 2960	1692	rundll32.exe	cmd.exe
PID 1692 wrote to memory of 2960	1692	rundll32.exe	cmd.exe
PID 1692 wrote to memory of 2960	1692	rundll32.exe	cmd.exe
PID 1692 wrote to memory of 2960	1692	rundll32.exe	cmd.exe
PID 2960 wrote to memory of 1304	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 1304	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 1304	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 1304	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 2636	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 2636	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 2636	2960	cmd.exe	timeout.exe
PID 2960 wrote to memory of 2636	2960	cmd.exe	timeout.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" /i /n /s:"$$qTRjZQ8H7KumVTUugD-inHQ4H5YQVfDhdgjESvVa9HdihqG0ud5wlSSjY81wdZ9cgc5MGH8AlAT6bSNGUOCObqxDI60MSJyzhYgF6b5RMrnUlTUqmGyhAqfUM9We4eotwkcSS3peLG_2libIuVnT26UvbaHpVqqHt5bDFkaGy3IdnwN3hBxKMKVC_E6RBf9XyZnE156OmRWtGhWyK-lSTs5FFHyquOGfObkQOuYy2cLfUA9lkoVAMIFtykQh5wCqtnGIgQxQ4zgrpmz6x7A8bMI1mGnekmuBWrjxAAPt3L4HafH52M9ms7AxDWIF-8jFfHit2bV51M4o3FRRjllSuBIhg4o_P8AsLYp9OrE7iA1mZLu94mx2bZPVBX268XblEknvuRRZhUFUXLbGshqrVk42YbzuyqIL_Yy11Lj-V4MqXL_BtkrdyujJcINh_sece1WkVOARx2i65KHvfxFHiC1B8CiGds4azEqxxjs7kpc15b6tGb61Uxe04hoOTHGwE2Fo2Sf5gzYmG8FFI8dDT0uQLvBNHcFe4O37MrRRdemt3OH9Ld0Hq4pSjAaGEqq0Pj8U91K3f5-L20XBrVrJdgjBYt_xsGd29YX10TR61wfpGNz3MjvEy5whcAW7Cz4gz_nL6RoRS1esVID2CaEgSssBOdjrgwQQ$$"
2⤵
PID:1964

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" & timeout /t 5
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:1304

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-0-0x0000000074CB1000-0x0000000074D97000-memory.dmp

Filesize
920KB

Download
memory/1692-1-0x0000000074CB0000-0x0000000074E1F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-2-0x0000000074CB0000-0x0000000074E1F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-7-0x0000000074CB1000-0x0000000074D97000-memory.dmp

Filesize
920KB

Download
memory/1964-3-0x0000000074CB0000-0x0000000074E1F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-4-0x0000000074CB0000-0x0000000074E1F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-5-0x0000000074CB0000-0x0000000074E1F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-6-0x0000000074CB0000-0x0000000074E1F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads