385c65695d181bcee87df3ea78807bd7b22cd0f936d3c96c3ae79c0a7207b38c

General

Target

05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe
Size

19KB
MD5

05dd29040fcabe7acd71f67e67374a3f
SHA1

6cff371ac53436ece674cfa6d7d33b18dac3d3b4
SHA256

385c65695d181bcee87df3ea78807bd7b22cd0f936d3c96c3ae79c0a7207b38c
SHA512

1aa26943527de2ff376b964404a8892584bad66b9b3a72b9d28b7089bcf1e83ff8b1a164be69be06975339fc6d61fd5a4d6c49fdacaa72fa234e11c88fba13e4
SSDEEP

384:7kAeRsv1uU/1Ze2wejHGIXBY7DTHH+RC5PRuHM64KFdF:7kl6duU/GIsjH+s5Pk4M7

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe rundll32.exe calc.ifo beforemain"	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4808	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe
4808	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\calc.ifo	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\calc.ifo	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idid	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idid\idid = "470524115"	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1980	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 4808	1980	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe	83
PID 1980 wrote to memory of 4808	1980	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe	83
PID 1980 wrote to memory of 4808	1980	05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05dd29040fcabe7acd71f67e67374a3f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Modifies registry class
  PID:4808

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3539.tmp

Filesize
22KB

MD5
ace9d1b546d87d145a2da87156f04d49

SHA1
d3c5381306f9ff6736f7b1a9c215f5ccb00855e4

SHA256
95b8bf1873f568d900c85ef451bf496d31216513394ed92959c0a66ec70dff0c

SHA512
912653ff0e10863b73c2d59bbc45552395ab192988655fb50872bb31a84e0a9d37712d9da97e342f90499059206e6b165cd1ba746e08473e70fdd0c9b591e36a

Download Submit
memory/528-19-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-47-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-8-0x00007FF890030000-0x00007FF890040000-memory.dmp

Filesize
64KB

Download
memory/528-9-0x00007FF8D004D000-0x00007FF8D004E000-memory.dmp

Filesize
4KB

Download
memory/528-10-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-6-0x00007FF890030000-0x00007FF890040000-memory.dmp

Filesize
64KB

Download
memory/528-5-0x00007FF890030000-0x00007FF890040000-memory.dmp

Filesize
64KB

Download
memory/528-11-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-12-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-13-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-15-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

Filesize
64KB

Download
memory/528-18-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-7-0x00007FF890030000-0x00007FF890040000-memory.dmp

Filesize
64KB

Download
memory/528-16-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-14-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-20-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-17-0x00007FF88DCD0000-0x00007FF88DCE0000-memory.dmp

Filesize
64KB

Download
memory/528-22-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-24-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-23-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-21-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/528-4-0x00007FF890030000-0x00007FF890040000-memory.dmp

Filesize
64KB

Download
memory/528-40-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/1980-37-0x0000000060380000-0x000000006038D000-memory.dmp

Filesize
52KB

Download
memory/1980-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4808-55-0x00007FF8CFFB0000-0x00007FF8D01A5000-memory.dmp

Filesize
2.0MB

Download
memory/4808-56-0x0000000060380000-0x000000006038D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads