10bf49ec7e5c4b92fec447e9e7362e89900fb3d8542c9bffc72ffbe4d5a4cdec

General

Target

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Size

1.2MB
MD5

bb76ed7540a0dec49577ed89042c9b39
SHA1

56293d57896df8752c92c033ae7c16d3891a97a1
SHA256

10bf49ec7e5c4b92fec447e9e7362e89900fb3d8542c9bffc72ffbe4d5a4cdec
SHA512

9f1be1865716e257ff461f0eabc78a5853064c9e7a3f2aa371e9cc6d829aa6ff2c114c248e96edcb0e12c525df12c72ab1d9911b7d14ecb5c2d4fd7cf5aa4a15
SSDEEP

24576:QGOQLjoogapm6uhrPoRYyKVk21hmKSKcj0yWO:nlLmac3oOfRmKpYhd

Score

7^/10

evasion persistence privilege_escalation trojan

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

Modifies registry class 34 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid process

3984 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
3984 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid	process
3984	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
3984	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3984-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/3984-2-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/3984-1-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/3984-9-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/3984-8-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3984-7-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3984-6-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3984-5-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/3984-4-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/3984-0-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/3984-10-0x00000000035C0000-0x00000000035C2000-memory.dmp

Filesize
8KB

Download
memory/3984-11-0x0000000003AA0000-0x0000000003AA2000-memory.dmp

Filesize
8KB

Download
memory/3984-12-0x0000000003D60000-0x0000000003D62000-memory.dmp

Filesize
8KB

Download
memory/3984-15-0x0000000004320000-0x0000000004322000-memory.dmp

Filesize
8KB

Download
memory/3984-16-0x0000000004190000-0x00000000042BA000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing