0e9bc9768c0917bb868a363cec6bfc45ece805d035baf3ac2ada27686ba3e213

General

Target

03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe
Size

374KB
MD5

03937d8b86c32eee1c75915b5a643162
SHA1

640b9df3a9055fbaea64795cda5660dd71ef9b31
SHA256

0e9bc9768c0917bb868a363cec6bfc45ece805d035baf3ac2ada27686ba3e213
SHA512

74d3a5687257af041511b075cc16af11cc4070563b8e67c077eae41a2520d1cc0f86d4fcbdd220e91785103dd55d168c6233104a6d2386fb42c5d0a32a948992
SSDEEP

6144:adO089auaFSvpL9z5vzA5xY1Wx30rFuw+pBX5mU3wLgdfmxBDLkjlNCTDjXz1MF:iO089al4vpL9lbsxWlrFxmFJ3oPDL8kC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2160	2.exe
2960	lssas

Loads dropped DLL 3 IoCs

pid	Process
1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe
1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe
2160	2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\lssas	2.exe
File created	C:\Windows\uninstal.BAT	2.exe
File created	\??\c:\windows\lssas	2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	2.exe
Token: SeDebugPrivilege	2960	lssas

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2960	lssas

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 1916 wrote to memory of 2160	1916	03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2708	2160	2.exe	30
PID 2160 wrote to memory of 2708	2160	2.exe	30
PID 2160 wrote to memory of 2708	2160	2.exe	30
PID 2160 wrote to memory of 2708	2160	2.exe	30
PID 2160 wrote to memory of 2708	2160	2.exe	30
PID 2160 wrote to memory of 2708	2160	2.exe	30
PID 2160 wrote to memory of 2708	2160	2.exe	30

C:\Users\Admin\AppData\Local\Temp\03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03937d8b86c32eee1c75915b5a643162_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.BAT
    3⤵
    PID:2708

\??\c:\windows\lssas
c:\windows\lssas
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.BAT

Filesize
150B

MD5
91c810ccebeeacd100ed047b616ee725

SHA1
816bdc85dd9d8a49f2a768fe3d8abf9cee1b28e4

SHA256
cdcde6145adc429eb30969abadb4941a331228c51c5a465120b2c41a4bc9637f

SHA512
e3c940946c956b88cef649cd550d988238622f0e370ca300b7a72ef61a8bb57f32f55ec99ba939be11138ffecf533cd4e0f8c6d005540967708468989b0d0abe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
746KB

MD5
acf7e565846c2466fb9e7ee322bb8b13

SHA1
d9c949f38a7bc6a40ac13e676ebe6b7b8a0188c1

SHA256
8fecc4e0f69a946de153c023fc934da1ff3f015fc8d84ce9ff1f8500f8e082bc

SHA512
3f0b9c2e1d4ea8071287746b4b4508825bd683afc4d1ef5fe81817416cc890920f51d0bcdbb37c68b1c462c230ab5c0cf1f3099a4d62c48e8b040a9817d8400c

Download Submit
memory/1916-0-0x0000000001000000-0x00000000010C1794-memory.dmp

Filesize
773KB

Download
memory/1916-1-0x0000000000880000-0x0000000000942000-memory.dmp

Filesize
776KB

Download
memory/1916-2-0x00000000010C1000-0x00000000010C2000-memory.dmp

Filesize
4KB

Download
memory/1916-5-0x0000000001000000-0x00000000010C1794-memory.dmp

Filesize
773KB

Download
memory/1916-27-0x0000000001000000-0x00000000010C1794-memory.dmp

Filesize
773KB

Download
memory/2160-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2960-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2960-29-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2960-31-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads