cd2aede691a4fb0d57d598a741ca41949d5cde95bb8e0ca6506183ca0bb49f24

General

Target

b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe
Size

520KB
MD5

b7eb2b5b1915c7324bcee3d4e6188f96
SHA1

bd2a7466d1528035582e72746570c7b924dfd1be
SHA256

cd2aede691a4fb0d57d598a741ca41949d5cde95bb8e0ca6506183ca0bb49f24
SHA512

e2a0c3790d3b4a4743cc9588969ad0910742c564a54f713328540c78a219e764ff1c9b8b0b1711fc4aa9fe1b7edc529e35e82cabaa7c3565d199e0069ca432f9
SSDEEP

3072:S6h/T4FL5vCZelJr6H/hqd87COVSUBcfSPD2YqUGM:SM/cakiqOnt2fqaYNG

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdhsteps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	pdhsteps.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	pdhsteps.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7	pdhsteps.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	pdhsteps.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdhsteps.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}	pdhsteps.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecisionTime = 20944e9999c0da01	pdhsteps.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadNetworkName = "Network 3"	pdhsteps.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	pdhsteps.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecisionTime = 20944e9999c0da01	pdhsteps.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecision = "0"	pdhsteps.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecisionReason = "1"	pdhsteps.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdhsteps.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	pdhsteps.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	pdhsteps.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecisionReason = "1"	pdhsteps.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecision = "0"	pdhsteps.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\06-cb-7e-1e-58-a7	pdhsteps.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1676	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe
1936	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe
2544	pdhsteps.exe
2652	pdhsteps.exe
2652	pdhsteps.exe
2652	pdhsteps.exe
2652	pdhsteps.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1936	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1936	1676	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1936	1676	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1936	1676	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe	28
PID 1676 wrote to memory of 1936	1676	b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe	28
PID 2544 wrote to memory of 2652	2544	pdhsteps.exe	30
PID 2544 wrote to memory of 2652	2544	pdhsteps.exe	30
PID 2544 wrote to memory of 2652	2544	pdhsteps.exe	30
PID 2544 wrote to memory of 2652	2544	pdhsteps.exe	30

C:\Users\Admin\AppData\Local\Temp\b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b7eb2b5b1915c7324bcee3d4e6188f96_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  PID:1936

C:\Windows\SysWOW64\pdhsteps.exe
"C:\Windows\SysWOW64\pdhsteps.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\pdhsteps.exe
  "C:\Windows\SysWOW64\pdhsteps.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-0-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1676-6-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/1676-5-0x0000000000180000-0x0000000000197000-memory.dmp

Filesize
92KB

Download
memory/1676-4-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1936-27-0x0000000000F00000-0x0000000000F84000-memory.dmp

Filesize
528KB

Download
memory/1936-11-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1936-7-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1936-13-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1936-12-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/1936-28-0x0000000000140000-0x0000000000157000-memory.dmp

Filesize
92KB

Download
memory/2544-20-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/2544-14-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2544-26-0x0000000000200000-0x0000000000217000-memory.dmp

Filesize
92KB

Download
memory/2544-18-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2544-19-0x0000000000200000-0x0000000000217000-memory.dmp

Filesize
92KB

Download
memory/2652-25-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2652-21-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing