9b8d60bd2f57df2872569170fe07679c4e708b5b88d3acee2c9bff4001f846ae

General

Target

02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Size

130KB
MD5

02d4ef9fd2dca8d0055f939218e01710
SHA1

503df8521e983a94beca0c222431fbcab3f66630
SHA256

9b8d60bd2f57df2872569170fe07679c4e708b5b88d3acee2c9bff4001f846ae
SHA512

2288d8f91e99de4b5ea0f44871bd08a7e6cf85248826f6070bcc44164f7049e5db770d821918901c3afe5f2fa7f223b41cd357b6938cb5cbf33ef7ae1c8528d8
SSDEEP

3072:85uCuaoiS8B1TW5k3MvG+zbI3VTu+I2d5KlOmEC7J7cp:ZC5v3HTWK2GH3VTpIJl

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeBackupPrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1980	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1980	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1980	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	28
PID 2020 wrote to memory of 1980	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2416	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2416	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2416	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	30
PID 2020 wrote to memory of 2416	2020	02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02d4ef9fd2dca8d0055f939218e01710_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
41bd4f1cc6ab54687004d7b1015ba72e

SHA1
830b25b829026cc026af3bb5b952fc15b625bfbd

SHA256
b8ba34f3ce5cffbf0c4a1ffbcd57f82aefe281e1bd8c0a57fae4ac89d4aa5cf5

SHA512
a5f01d3200a13904b69d679227a5112ab9759bf14e36999fe238bda039e6ecef176ed1bd690cc43eaec610fa86792bcc8ed8d10bd01cf2e2a4439f7d72a442a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
71f796f6a74f137c987409d77e25e71a

SHA1
eb338aa51b2f05f3cfe99c30fa152a39cf833d33

SHA256
23fdb5beaca88dff043af84133aedf01764360bdf078547eaa226d83beaee4f4

SHA512
2a7f1aa660660e6d994f9b6bcdc2e3b8c888ddb52a969348a5522ecb0dc4be1b50a419d10cf3d7f7f87935ce5c84340af42df49d3dcef644403ac9e955932361

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
117KB

MD5
ae7eaffd3e6501d9830c167225323fde

SHA1
7ce8eb7fc66fb83b83f8eb7d127756e11da51b3b

SHA256
da42e8df26427f23e081d8dec433c76b0f5b1dcaefca8b4b2b6c2ffc8eae8c33

SHA512
8801bf06ba58a62fdbd06c078bfffdac9e02a7ab6670e9473dc0540de0dd20271f6e11476ab343e85d6707709342edb720640969d7c7d632264e1403bd421e79

Download Submit
memory/2020-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-1-0x000000000042E000-0x000000000042F000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-24-0x0000000000360000-0x00000000003B0000-memory.dmp

Filesize
320KB

Download
memory/2020-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-26-0x000000000042E000-0x000000000042F000-memory.dmp

Filesize
4KB

Download
memory/2020-28-0x0000000000360000-0x00000000003B0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing