7146f9eee55a4519eed0b9cde362fb84e47115b576937a149d613e8e018a23d6

General

Target

0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
Size

211KB
MD5

0274d65f4ee68b1fb425357c713cf8bd
SHA1

e9a7c1d9e8296eb8495160749d188aee55aaad02
SHA256

7146f9eee55a4519eed0b9cde362fb84e47115b576937a149d613e8e018a23d6
SHA512

df68405bb61675e3cc377d0e6a5972cbd5c03a1f37c708f24bb25ca323ac56569e17f1c6f62b2d34b503a447f705e46e566dc190d31cc959482797d9ef68dc66
SSDEEP

3072:oUGPS1zzF2puPFG0bGzIMnzOI4faa8B57+g5B3Qg+YMDUVLZq6mViKJTjwKCtBGx:P1fFvtnqz5z9a8B5VfQChqxHqFg2Fk

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1224	Explorer.EXE

Loads dropped DLL 8 IoCs

pid	Process
2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2996	rundll32.exe
2780	cmd.exe
2976	attrib.exe
860	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dpnsInit64.dll	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dpnsInit.dll	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2996	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	28
PID 2356 wrote to memory of 2996	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	28
PID 2356 wrote to memory of 2996	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	28
PID 2356 wrote to memory of 2996	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	28
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2356 wrote to memory of 2780	2356	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	29
PID 2996 wrote to memory of 1224	2996	rundll32.exe	21
PID 2996 wrote to memory of 1224	2996	rundll32.exe	21
PID 2780 wrote to memory of 2976	2780	cmd.exe	31
PID 2780 wrote to memory of 2976	2780	cmd.exe	31
PID 2780 wrote to memory of 2976	2780	cmd.exe	31
PID 2780 wrote to memory of 2976	2780	cmd.exe	31
PID 2780 wrote to memory of 2976	2780	cmd.exe	31
PID 2780 wrote to memory of 2976	2780	cmd.exe	31
PID 2780 wrote to memory of 2976	2780	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2976	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1224
- C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\dpnsInit64.dll",CreateProcessNotify
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259414826.bat" "C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Views/modifies file attributes
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Privilege Escalation

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259414826.bat

Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
\Windows\SysWOW64\dpnsInit.dll

Filesize
65KB

MD5
83d1388959ad733f40c785d751aa119a

SHA1
f3cb42e0ed55f139feada3c1d2ce5528874c9fac

SHA256
f1ac4f44060d244cdce1fe85d7ae9758f3217415735eefa9f055457bfb74d484

SHA512
13b499cd0a3e6050a0bbed61df3cec1a9138e68cea6e9be77a638c5b5d3ec1ac7040022b94830112363052d4ddf4ac58af23a201ce9bf718977505b2b7d74c77

Download Submit
\Windows\System32\dpnsInit64.dll

Filesize
73KB

MD5
bf1f0dc6eb99b444bc727c172c4524d0

SHA1
57b660e21602b7e2138751d63829d61c801b2086

SHA256
8c27915722deb5fbd4b86cfe0770e8772c172c6c12932b3c3e539a0d57831453

SHA512
a669747f6ae13973542a7f9acedf7a37f937b75e20fe8373980e8793817d0b94eabb5c49d20fd2b65a0f9f636e6d1f5e3f73c599cd956892ec3d47f310cedb8d

Download Submit
memory/1224-38-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1224-27-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2356-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2356-0-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2356-6-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2356-39-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/2356-1-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/2356-40-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2356-43-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2356-42-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/2780-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2780-50-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2976-49-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2996-14-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2996-25-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing