87118baf7378b0218b248f620c3b69df822a253b1bc630ec996e70d8dc3952fc

General

Target

030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
Size

45KB
MD5

030f2076271a97c2a6201397080eaed5
SHA1

d01e91dce1b7113760f09b009ed43f3b1128785f
SHA256

87118baf7378b0218b248f620c3b69df822a253b1bc630ec996e70d8dc3952fc
SHA512

5de8946055903019655e328b55fc25cd9f5f522a5cbdafe9c15327725f3c891789e6e4d2573b7ccfb8b3753bef0f8836f3d60283553eb9edf8af8a187722b24b
SSDEEP

768:9i/mxEnhmldonp1uifhjfvdW1lacva85tZ6gd1GgdBGgd:9XEh8Snp1uif1NAlacNtZ6q1GqBGq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
4588	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Client = "C:\\Windows\\system32\\wuclient.exe"	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XPSP2 Firewall = "C:\\Windows\\system32\\xpsp2fw.exe"	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xpsp2fw.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xpsp2fw.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unctiv.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tivigSes.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuclient.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unropacwcfg.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AppHcWepic.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctsidathu.dll	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuclient.exe	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5087193-a10e-3694-1c66-28438cca5087}	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5087193-a10e-3694-1c66-28438cca5087}\ = 88996677000000001000000004a0f0d21000000004a0f0d2510000001e000000101000000000000000000000647f637e617072667277760001000000101000000000000000000000647f72657867000300000010100000000000000000000050616159724674617872000c0000001010000000000000000000007265627875706579640011000000101000000000000000000000657867787642746200	030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\030f2076271a97c2a6201397080eaed5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AppHcWepic.dll

Filesize
2KB

MD5
cdfe1f176617afa2cf18c2c8c40b78e7

SHA1
0017c15dd94ba5238e045ef9c44a999d964b5922

SHA256
31736c0a7df9254ef6d65519008dcef9fa258e5de983b16da80d83be2eeaa946

SHA512
9a5849f097a184588a2b44a16e80cd13a60696ab3b0e71240245a9cfe8ec7a097674385c44e753a532dcaf29af0a62593a57af6a5993997e2b98e6705878da31

Download Submit
C:\Windows\SysWOW64\ctsidathu.dll

Filesize
2KB

MD5
e5eaa2b07ab821073aa4fe5a46a5e6c5

SHA1
a63f5cb4beb7f062557e64b2683e0ed659c039ad

SHA256
3e9f9d9f6eb0e863b56bd93900b15206984e74adde4ca561aeb4caa48c6a6aab

SHA512
269646ae2a65ca3d99fe30e66714b04f0ebd1c2f24e6c963d82872719975d526c695fbdb7e3769ff5364e5f7918186d207dec9985b01c6cc44adc0c102f23647

Download Submit
C:\Windows\SysWOW64\tivigSes.dll

Filesize
2KB

MD5
e70e3735465c0efe4791a8f82ec19f9e

SHA1
b9af95a83b9ac560a8489343cbe228395a1525e4

SHA256
8d3f0c90e5d6a3cc4d8a552195b28169df041ed953f72b1e55efdb991ae75892

SHA512
c266431d38e050d095911dda11b7b52267b57fde9dfc8b16b3f3ac735eb222301976b27503147e94174af43f216c5887aaec0b9d0988cbc1807666517e911dc0

Download Submit
C:\Windows\SysWOW64\unctiv.dll

Filesize
9KB

MD5
324349fce2b4bd142b9ae1b15f9c1587

SHA1
96616d42ebd50eb4d68d99fb63fc2e3dd2d34238

SHA256
3429452fb65efc016517501c6481246cbd523d17f0f18ff6e3cf6c549a51fd73

SHA512
5457467aae0a717b0b676d285d591cafa5d99483914cb01efb1cb188b8309f3338fb3f2d09825d1a8b28cb84632f79455e464ca2b02ee71497dd4c757b9edd30

Download Submit
C:\Windows\SysWOW64\unropacwcfg.dll

Filesize
1KB

MD5
5a1a51f07b19039892d00005921757b7

SHA1
224fc4c9a8354427859b26e8fdf0ce74e78119fd

SHA256
18c9989749906d51b51ba0d7c6f5cfc68d673fc7ae2f22eae376255b5354c7af

SHA512
c57c364f0601306494c19d5fe76f6d01da7e8adabe96a0c421131420164560c415cdf029c9a61bd9b765aeaadd8a922df71d128604385f95b065287f1018e338

Download Submit
memory/4588-13-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4588-30-0x0000000002F30000-0x0000000002F34000-memory.dmp

Filesize
16KB

Download
memory/4588-31-0x0000000002F30000-0x0000000002F33000-memory.dmp

Filesize
12KB

Download
memory/4588-32-0x0000000002F30000-0x0000000002F33000-memory.dmp

Filesize
12KB

Download
memory/4588-34-0x0000000002F30000-0x0000000002F33000-memory.dmp

Filesize
12KB

Download
memory/4588-33-0x0000000002F30000-0x0000000002F33000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads