7146f9eee55a4519eed0b9cde362fb84e47115b576937a149d613e8e018a23d6

General

Target

0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
Size

211KB
MD5

0274d65f4ee68b1fb425357c713cf8bd
SHA1

e9a7c1d9e8296eb8495160749d188aee55aaad02
SHA256

7146f9eee55a4519eed0b9cde362fb84e47115b576937a149d613e8e018a23d6
SHA512

df68405bb61675e3cc377d0e6a5972cbd5c03a1f37c708f24bb25ca323ac56569e17f1c6f62b2d34b503a447f705e46e566dc190d31cc959482797d9ef68dc66
SSDEEP

3072:oUGPS1zzF2puPFG0bGzIMnzOI4faa8B57+g5B3Qg+YMDUVLZq6mViKJTjwKCtBGx:P1fFvtnqz5z9a8B5VfQChqxHqFg2Fk

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe

Loads dropped DLL 4 IoCs

pid	Process
2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
3488	Process not Found
1636	rundll32.exe
3776	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\chknconf.dll	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\chknconf64.dll	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4984	3776	WerFault.exe	105
1956	3776	WerFault.exe	105

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1636	2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	97
PID 2548 wrote to memory of 1636	2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	97
PID 2548 wrote to memory of 3776	2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	105
PID 2548 wrote to memory of 3776	2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	105
PID 2548 wrote to memory of 3776	2548	0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\chknconf64.dll",CreateProcessNotify
  2⤵
  - Loads dropped DLL
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240654921.bat" "C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe""
  2⤵
  - Loads dropped DLL
  PID:3776
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\0274d65f4ee68b1fb425357c713cf8bd_JaffaCakes118.exe"
    3⤵
    - Views/modifies file attributes
    PID:2660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 524
    3⤵
    - Program crash
    PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 544
    3⤵
    - Program crash
    PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2548 -ip 2548
1⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1716,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=3028 /prefetch:8
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3776 -ip 3776
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3776 -ip 3776
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Privilege Escalation

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240654921.bat

Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
C:\Windows\SysWOW64\chknconf.dll

Filesize
65KB

MD5
83d1388959ad733f40c785d751aa119a

SHA1
f3cb42e0ed55f139feada3c1d2ce5528874c9fac

SHA256
f1ac4f44060d244cdce1fe85d7ae9758f3217415735eefa9f055457bfb74d484

SHA512
13b499cd0a3e6050a0bbed61df3cec1a9138e68cea6e9be77a638c5b5d3ec1ac7040022b94830112363052d4ddf4ac58af23a201ce9bf718977505b2b7d74c77

Download Submit
C:\Windows\System32\chknconf64.dll

Filesize
73KB

MD5
bf1f0dc6eb99b444bc727c172c4524d0

SHA1
57b660e21602b7e2138751d63829d61c801b2086

SHA256
8c27915722deb5fbd4b86cfe0770e8772c172c6c12932b3c3e539a0d57831453

SHA512
a669747f6ae13973542a7f9acedf7a37f937b75e20fe8373980e8793817d0b94eabb5c49d20fd2b65a0f9f636e6d1f5e3f73c599cd956892ec3d47f310cedb8d

Download Submit
memory/1636-14-0x00000208137C0000-0x00000208137C1000-memory.dmp

Filesize
4KB

Download
memory/2548-9-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/2548-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2548-0-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2548-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2548-6-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/2548-17-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/2548-1-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/3776-21-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/3776-22-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing