ab3e4f1244221a33e4995c6bad5e84a5533c633e7efa51c61fd958803ac5ec14

General

Target

65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll
Size

1.4MB
MD5

65be5073c6f4834d3d1c73594d97b75d
SHA1

06c6bc46067313ccaf0d0dad517f5f216f46b4be
SHA256

ab3e4f1244221a33e4995c6bad5e84a5533c633e7efa51c61fd958803ac5ec14
SHA512

a1f333d5001246ce6443d2203b31af97bc946326453680dd5d5c4f8c9c60ca473f844a1ee565b56ccc618434c794d449aa4f618604ee9a1b227e6203be8310c9
SSDEEP

24576:651RzX5yRZj474urTiFDhRj5m6tYFyIG4SN6u0QHsBQ4oxKy1fumXF:DZj474GOdcG76u0QMBQ4ox5umX

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2280 created 608 2280 rundll32.exe winlogon.exe

description	pid	process	target process
PID 2280 created 608	2280	rundll32.exe	winlogon.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Windows\SysWOW64\rundll32.exe = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\ = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\1716346001 = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\{397F3C6B-406E-9D34-CE6A-1F5D0B21B113} = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rundll32.exe = "0"	regsvr32.exe

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

38 2280 rundll32.exe
40 2280 rundll32.exe
42 2280 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

flow	pid	process
38	2280	rundll32.exe
40	2280	rundll32.exe
42	2280	rundll32.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	rundll32.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3380 timeout.exe
2600 timeout.exe

pid	process
3380	timeout.exe
2600	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E\Blob = 03000000010000001400000026d9e607fff0c58c7844b47ff8b6e079e5a2220e2000000001000000fd030000308203f9308202e1a003020102020900b6e1abf38b9ab41a300d06092a864886f70d0101050500307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d65301e170d3134303732333137323531355a170d3434303731353137323531355a307d310b300906035504061302494c3111300f06035504081308477573682044616e3112301006035504071309486572747a696c69613121301f060355040a1318477265656e5465616d20496e7465726e65742c204c74642e310c300a060355040b1303576562311630140603550403130d636c6f756467756172642e6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100be81e2dbe640e8c8a9e76c999ef6e0c46742128d3d0474d43d2849abf5149c8294cf2fb58de6bc42b190042de09615a65e6a5a13b3cd9c5db30d6cb92b8776842df83410d8516064c11ffb80aba7ca30a5f2a7c314a1ce63d4a02a595ba97b0a11d23466cbfc2356413ed7be195bd838cc79293620f376adc5b3130b538128903b41879fba875df7df874e5d88be90c9fd1e5a9c16579f28e26c59c8616de1acbf052bf74711a0382b7c6c8a7aab31a65767bba43585ff4d7c14ceceb096f92accc2059fdae11c12c3be346f1e35e21cd90598f223a6ecc40e601af56e5f60ef694cbcdc03b2ac0dbd8fa65467cedccb2f46bce1339520a963394a35e56ab7870203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101008b5c1a22ece724034f3fd5be07c19a706a076ecbdc9d799800dc1cef121b7cc1e3219de83111ef7b7a25cd677079c85a94cebd99ddeb21d6eb3afda74f3bcbfd8d7d25da45581310ae6321c41d88b245102c060edb76875faea630f56daa88b17e811cf3f6dabee21a56f281e826b7e2d8499eb622cba18b498749de17300b36341e9cb2c76cf952429706bf4743841c7f6d4ef8e0e96dcdd905de86b8161c446f7b387d76744a16ecd1f2813933669cb9fee2ed52f3a25e5056a9d0f2dc9eeadf85352caedf013f1deca04331a3df29b83221a09e65263a94af9652c5871acbff896936af81372731bcad9fd3ce4db1c057c2c7c54997b879fcfb0b8325429a	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\FA47EF9F4168443796E2A534A90D9D36C1C18572\Blob = 030000000100000014000000fa47ef9f4168443796e2a534a90d9d36c1c185722000000001000000cd030000308203c9308202b1a003020102020900d98308e45f1730f5300d06092a864886f70d01010505003065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c61796572301e170d3138303132323131353631375a170d3438303131353131353631375a3065310b30090603550406130255533111300f060355040713084e657720596f726b311d301b060355040a13144257506c617965722043657274696669636174653111300f060355040b13084257506c617965723111300f060355040313084257506c6179657230820122300d06092a864886f70d01010105000382010f003082010a0282010100addc4d3e91686c4409bc81594db895497f51ba4391d1cdd3a5f023b7b5b7386f03863ff8af25814b0b2d7de511bb4515936cad031e20a2be99c04b1ec2b21a6bd8f107b3ed9d67d1c455f2f6854c7e8310ac0ef014ff69119bb60f87a61dc4f40a49b62eb1af5493076cb90d736afe8aa9b3a80fe17818a95ffe33adfc2c0492437144c8edd4c2665c2172bc69bb3be29164b96550bc62e6dcb18fc71c795f2d1922ff394b095c02643e2859c75d9aa3121d6f6b22c785730ed45f66bef0acbda739ab1ff60e4cba43bed235fe6b979d1c0422b60068422c86945c6594854301e58ab2a2fb49121675b15c1c7793476093d3da84702e637a691ababf0268e58d0203010001a37c307a30120603551d130101ff040830060101ff020100301106096086480186f8420101040403020204300b0603551d0f040403020106301d0603551d250416301406082b0601050507030106082b06010505070302302506096086480186f842010d041816164f70656e53534c204341204365727469666963617465300d06092a864886f70d010105050003820101005114df932c65ef49a656d1315aabaea70d75c696ae6060766818ed0dc95ee86d99ec858118e7727ac355ad5f71e98e210b89ec87cccacee7ca1146aba9537a08b1d8f8543a700c4f5c895eb81b9681438deaa8905cd0852209dab68baa845bb3d56159e6b2463f11f7a5936bbc887841d75ccb09401be88581a079d49236a37dcbe8a3fc538293a6d4842db85ec8be5faa9bafc453de3be56f8d0bb73a79c193d78bec90ed22b54151a9a42051d9d102c75bce07be4bb4273bc117ba2e47b544d3e656adaa88ccea61274dde5a966df5212270ca2f3fb025ef2cf6938caaa9fc7a4dbc214a2ced10b44740dd2d7449772849fd4806e594c19586089f6a56f7bf	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rundll32.exe

pid	process
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2280	rundll32.exe
Token: SeDebugPrivilege	2280	rundll32.exe
Token: SeDebugPrivilege	2280	rundll32.exe
Token: SeDebugPrivilege	2280	rundll32.exe
Token: SeDebugPrivilege	2280	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 2280	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2280	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2280	1524	rundll32.exe	rundll32.exe
PID 2280 wrote to memory of 2668	2280	rundll32.exe	regsvr32.exe
PID 2280 wrote to memory of 2668	2280	rundll32.exe	regsvr32.exe
PID 2280 wrote to memory of 2668	2280	rundll32.exe	regsvr32.exe
PID 2280 wrote to memory of 620	2280	rundll32.exe	cmd.exe
PID 2280 wrote to memory of 620	2280	rundll32.exe	cmd.exe
PID 2280 wrote to memory of 620	2280	rundll32.exe	cmd.exe
PID 620 wrote to memory of 3380	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 3380	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 3380	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 2600	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 2600	620	cmd.exe	timeout.exe
PID 620 wrote to memory of 2600	620	cmd.exe	timeout.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" /i /n /s:"$$vu6AIFYxhOMk7W6IUZnJFL6hoDmJisMjRHTkfDTGXu_RTVlW5mu_-ZKaZTbMHBLhWPauzn9fBaJc1pwDNAjHZItVo55hv5PjHpk9Iv-lAzaNiCZU0Uc33bpr1oDY6gbC0_4Ejs2iySR7OqCPM8P56ktq2jb-KLSffOvki77arvCqN2JhvqSpzpCWLD1qAjtDOSF4U6SV7c2Dodd59maPgbK7aG5bJR2hkwKGtK87JaJ6lzPp73al6jTSn8Kzew1394Mtb44krmvPCd3fbVpO5FT4WqjcbyoR2Cd_wnvWnd7yAkylni1A6e1qeJGFXMOiaH30ycMirGR6G8xLD3K6g6xh3lzgDL8LKZi_VAIt5SGpTYA7oPRRLJPeVlQICwMNMu0tIwKjN4AGgcThQusHxzNXwvH071eSYoRX3C5Ppi737_6Cf5h7b6Vy2BVnyUu4gybEyhp_AmLwZuswPptzQdDy9sl20d7JWgEqawliQ4QKSd2tZApcGTbFkrFfjQkRXvYhS6NS5gh80-aBMmaS0zB4NELcRaY76yTyhnNY0zMHZoyGgxJVYcBqDNKq_digCAk3S_GQp0Gcg72SIJvY6tkjApvJuoZmSmzJbpefHmRTB7UaTopCOYz_J6m3wcZMN_XdDB1d_EatuAHmxiOGCpbJO-LhlyxnCjlp$$"
2⤵
- Windows security bypass
PID:2668

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll,#1
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\65be5073c6f4834d3d1c73594d97b75d_JaffaCakes118.dll" & timeout /t 5
3⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:3380

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2280-0-0x0000000075091000-0x0000000075177000-memory.dmp

Filesize
920KB

Download
memory/2280-2-0x0000000075090000-0x00000000751FF000-memory.dmp

Filesize
1.4MB

Download
memory/2280-1-0x0000000075090000-0x00000000751FF000-memory.dmp

Filesize
1.4MB

Download
memory/2280-7-0x0000000075091000-0x0000000075177000-memory.dmp

Filesize
920KB

Download
memory/2668-3-0x0000000075090000-0x00000000751FF000-memory.dmp

Filesize
1.4MB

Download
memory/2668-5-0x0000000075090000-0x00000000751FF000-memory.dmp

Filesize
1.4MB

Download
memory/2668-4-0x0000000075090000-0x00000000751FF000-memory.dmp

Filesize
1.4MB

Download
memory/2668-6-0x0000000075090000-0x00000000751FF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads