87118baf7378b0218b248f620c3b69df822a253b1bc630ec996e70d8dc3952fc

General

Target

030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
Size

45KB
MD5

030f2076271a97c2a6201397080eaed5
SHA1

d01e91dce1b7113760f09b009ed43f3b1128785f
SHA256

87118baf7378b0218b248f620c3b69df822a253b1bc630ec996e70d8dc3952fc
SHA512

5de8946055903019655e328b55fc25cd9f5f522a5cbdafe9c15327725f3c891789e6e4d2573b7ccfb8b3753bef0f8836f3d60283553eb9edf8af8a187722b24b
SSDEEP

768:9i/mxEnhmldonp1uifhjfvdW1lacva85tZ6gd1GgdBGgd:9XEh8Snp1uif1NAlacNtZ6q1GqBGq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
1276	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
1276	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
1276	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
1276	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
1276	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update Client = "C:\\Windows\\system32\\wuclient.exe"	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall = "C:\\Windows\\system32\\xpsp2fw.exe"	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuclient.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ppthfutter.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nCein-.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\onmeSesla.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuclient.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xpsp2fw.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xpsp2fw.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-l-crt.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ecacles.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f1af588b-35eb-17c6-d623-8d7ac46f1af5}\ = 88996677000000001000000004a0f0d21000000004a0f0d2510000001e0000001010000000000000000000003c7d3c72636500010000001010000000000000000000006161657977646565746300030000001010000000000000000000007f5274787f3c000c000000101000000000000000000000747270727d746200110000001010000000000000000000007e7f7c744274627d7000	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f1af588b-35eb-17c6-d623-8d7ac46f1af5}	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\-l-crt.dll

Filesize
1KB

MD5
5a1a51f07b19039892d00005921757b7

SHA1
224fc4c9a8354427859b26e8fdf0ce74e78119fd

SHA256
18c9989749906d51b51ba0d7c6f5cfc68d673fc7ae2f22eae376255b5354c7af

SHA512
c57c364f0601306494c19d5fe76f6d01da7e8adabe96a0c421131420164560c415cdf029c9a61bd9b765aeaadd8a922df71d128604385f95b065287f1018e338

Download Submit
\Windows\SysWOW64\ecacles.dll

Filesize
2KB

MD5
e5eaa2b07ab821073aa4fe5a46a5e6c5

SHA1
a63f5cb4beb7f062557e64b2683e0ed659c039ad

SHA256
3e9f9d9f6eb0e863b56bd93900b15206984e74adde4ca561aeb4caa48c6a6aab

SHA512
269646ae2a65ca3d99fe30e66714b04f0ebd1c2f24e6c963d82872719975d526c695fbdb7e3769ff5364e5f7918186d207dec9985b01c6cc44adc0c102f23647

Download Submit
\Windows\SysWOW64\nCein-.dll

Filesize
2KB

MD5
cdfe1f176617afa2cf18c2c8c40b78e7

SHA1
0017c15dd94ba5238e045ef9c44a999d964b5922

SHA256
31736c0a7df9254ef6d65519008dcef9fa258e5de983b16da80d83be2eeaa946

SHA512
9a5849f097a184588a2b44a16e80cd13a60696ab3b0e71240245a9cfe8ec7a097674385c44e753a532dcaf29af0a62593a57af6a5993997e2b98e6705878da31

Download Submit
\Windows\SysWOW64\onmeSesla.dll

Filesize
2KB

MD5
e70e3735465c0efe4791a8f82ec19f9e

SHA1
b9af95a83b9ac560a8489343cbe228395a1525e4

SHA256
8d3f0c90e5d6a3cc4d8a552195b28169df041ed953f72b1e55efdb991ae75892

SHA512
c266431d38e050d095911dda11b7b52267b57fde9dfc8b16b3f3ac735eb222301976b27503147e94174af43f216c5887aaec0b9d0988cbc1807666517e911dc0

Download Submit
\Windows\SysWOW64\ppthfutter.dll

Filesize
9KB

MD5
324349fce2b4bd142b9ae1b15f9c1587

SHA1
96616d42ebd50eb4d68d99fb63fc2e3dd2d34238

SHA256
3429452fb65efc016517501c6481246cbd523d17f0f18ff6e3cf6c549a51fd73

SHA512
5457467aae0a717b0b676d285d591cafa5d99483914cb01efb1cb188b8309f3338fb3f2d09825d1a8b28cb84632f79455e464ca2b02ee71497dd4c757b9edd30

Download Submit
memory/1276-12-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1276-21-0x0000000001D40000-0x0000000001D44000-memory.dmp

Filesize
16KB

Download
memory/1276-22-0x0000000001D40000-0x0000000001D43000-memory.dmp

Filesize
12KB

Download
memory/1276-23-0x0000000001D40000-0x0000000001D43000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads