84924cc8e6a943ea4a7769379ad67178b4878809fc28a5552682ac6eea0e6c7d

General

Target

01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
Size

188KB
MD5

01c9a70fb7e17f9d215f2346ac4055b5
SHA1

e975065193cdcb04cabd256dfbe631a033d772ac
SHA256

84924cc8e6a943ea4a7769379ad67178b4878809fc28a5552682ac6eea0e6c7d
SHA512

b4bc41789fcab4f88bfae56df8a4f49942c9ad867d53449e147f26fee4cdbd2f38b0d2b9d13280532a411c19d1d091763bfad809a0a925e5bee6db5d7919e498
SSDEEP

3072:U9m0jofzTJK5fICGdNEi1w7Z/WpEy5kym65jVA13usrF2y31uXzFaC:cmTTJsyNEhA5cMARusrAsuXzoC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	svhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1337 = "C:\\Windows\\system\\svhost.exe"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\1337logs\ofiara.0.htm	svhost.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system\svhost.exe	xcopy.exe
File created	C:\Windows\system\wuaclt.exe	xcopy.exe
File created	C:\Windows\1337.ini	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\svhost.sd7	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File opened for modification	C:\Windows\system\wuaclt.exe	xcopy.exe
File created	C:\Windows\bez tytu³u2.JPG	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\svhost.sd	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File created	C:\Windows\system\wuaclt.sd	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File opened for modification	C:\Windows\system\svhost.exe	xcopy.exe
File created	C:\Windows\system\wuaclt.sd7	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
File opened for modification	C:\Windows\system	xcopy.exe
File opened for modification	C:\Windows\bez tytu³u2.JPG	DllHost.exe
File opened for modification	C:\Windows\1337.ini	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2616	DllHost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2368	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2368	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2368	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	28
PID 2880 wrote to memory of 2368	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2156	2368	cmd.exe	30
PID 2368 wrote to memory of 2156	2368	cmd.exe	30
PID 2368 wrote to memory of 2156	2368	cmd.exe	30
PID 2368 wrote to memory of 2156	2368	cmd.exe	30
PID 2880 wrote to memory of 2892	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2892	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2892	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2892	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	32
PID 2892 wrote to memory of 2576	2892	cmd.exe	34
PID 2892 wrote to memory of 2576	2892	cmd.exe	34
PID 2892 wrote to memory of 2576	2892	cmd.exe	34
PID 2892 wrote to memory of 2576	2892	cmd.exe	34
PID 2880 wrote to memory of 2596	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	35
PID 2880 wrote to memory of 2596	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	35
PID 2880 wrote to memory of 2596	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	35
PID 2880 wrote to memory of 2596	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	35
PID 2880 wrote to memory of 2432	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	37
PID 2880 wrote to memory of 2432	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	37
PID 2880 wrote to memory of 2432	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	37
PID 2880 wrote to memory of 2432	2880	01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01c9a70fb7e17f9d215f2346ac4055b5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD HKLM\software\microsoft\windows\currentversion\run /v 1337 /d %windir%\system\svhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\software\microsoft\windows\currentversion\run /v 1337 /d C:\Windows\system\svhost.exe
    3⤵
    - Adds Run key to start application
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd /C xcopy "%windir%\system\*.sd7" "%windir%\system\*.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Windows\system\*.sd7" "C:\Windows\system\*.exe"
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /C copy "%userprofile%\gadu-gadu\ja\config.dat" "%windir%\system32\1337logs\config.dat"
  2⤵
  PID:2596
- C:\Windows\system\svhost.exe
  "C:\Windows\system\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2432

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\1337.ini

Filesize
118B

MD5
30efdbf73989806b5c748b1c22c53cb1

SHA1
5821cc1e89a9fda438c41b87712b188405367e06

SHA256
25d109f34670c4a50311a913ed5ff005df87d8bb02ae8fe2b32fb6ff31339f29

SHA512
97bcc62ca4dccb5a35791601d0d4245d8d4b7ce63068481248025422e2fed49ddfe4665bca15ff1c1a753a60921c8da4e701045055a2cc57a2da53ff25810b41

Download Submit
C:\Windows\bez tytu³u2.JPG

Filesize
69KB

MD5
cb3667d77d12df2f1e630d07d6adfa28

SHA1
b6478fd5b8f9f6bd7e3fa63458bef7c060f16e2e

SHA256
dfcfa54daaf14067e4b4687924486b600727eb5c063f0899a6044830e1e3c78c

SHA512
6bcf7625ce503036758c3b0522a1900c21641905d58f47c3fd40f7e583bb42b49d4edfaf703ed02bd4573c650b29a6f3f371e753a6f43d7495631328061ba7bd

Download Submit
C:\Windows\system\svhost.sd7

Filesize
32KB

MD5
7c3d8955631512e938b8a2e0a3b82ade

SHA1
d3b5c3d06088654e40796f461f7fead9eccf6147

SHA256
4fdede0161ac67f8d0c9f01963e0eae52c6669ba06262ee30aca9d49c1a88103

SHA512
a60d05ac1ea306158780eb291c657aa957b89db6dcfa24753e2160ecd71a36f2a17349a2185c3dab5d200d7fc9a5523d9466bc87d59ec032f315b1990c71d597

Download Submit
C:\Windows\system\wuaclt.sd7

Filesize
24KB

MD5
d283a06cd1bc40dbafc221cdfc323907

SHA1
4bd647cb10781699628ce2045367bce80db1243e

SHA256
63c25587320cf0a6772f862d974a969b587a6e4f517a527c6ab5336042233445

SHA512
d91dd62d7ae378a7fbf15aceff2917c91fdb54a9cc770aebfa6f327cabd507c18b6f6715b07620b96d571172df26d2947307938c3bd4fc5a83353bc499cbbdb9

Download Submit
memory/2616-4-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2616-5-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2616-27-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2880-3-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads