8b8faf21684dcab1c11e1ff4324bf00ce23770ef1d7f99ce84924687aa808c78

General

Target

0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe
Size

3.0MB
MD5

0b0f1f178073b215c4b0cbfdfa3db015
SHA1

265d1bd4b08762dcf01c4c86e8f439f4d8135fdb
SHA256

8b8faf21684dcab1c11e1ff4324bf00ce23770ef1d7f99ce84924687aa808c78
SHA512

13823fadad95b109b207542f0dd938ec233bd0e629452f3ad716d982a2af596d37f6c4b1810e13525d11cf461ed1a4ed6bf0c2aa2e1f2a13eb3b0b79e97747ec
SSDEEP

49152:OZ+JSWjg06cEkgCH0fTb3aNgOdTrU3BsOYURyQec1mIIJDBQBg5kZ86a4GQN+:ObWjXtHc/aNguUxsO6WZIBWm2p8+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1416	WindowsXPKB893357v2x86HUN.exe
4960	update.exe

Loads dropped DLL 3 IoCs

pid	Process
1416	WindowsXPKB893357v2x86HUN.exe
4960	update.exe
4960	update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Provider = "\"C:\\Users\\Admin\\AppData\\Roaming\\services.exe\""	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Commandline = "\"C:\\Users\\Admin\\AppData\\Roaming\\command.exe\""	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	\??\c:\windows\KB893357.log	update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe
1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1920	1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe	85
PID 1352 wrote to memory of 1920	1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe	85
PID 1352 wrote to memory of 1920	1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe	85
PID 1352 wrote to memory of 1416	1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe	91
PID 1352 wrote to memory of 1416	1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe	91
PID 1352 wrote to memory of 1416	1352	0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe	91
PID 1416 wrote to memory of 4960	1416	WindowsXPKB893357v2x86HUN.exe	92
PID 1416 wrote to memory of 4960	1416	WindowsXPKB893357v2x86HUN.exe	92
PID 1416 wrote to memory of 4960	1416	WindowsXPKB893357v2x86HUN.exe	92

C:\Users\Admin\AppData\Local\Temp\0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b0f1f178073b215c4b0cbfdfa3db015_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del /q C:\Users\Admin\AppData\Roaming\System32\Registry.*
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\WindowsXPKB893357v2x86HUN.exe
  C:\Users\Admin\AppData\Local\Temp\\WindowsXPKB893357v2x86HUN.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1416
- - \??\c:\1ec6e515c687ec3d8161d17ce64d06\update\update.exe
    c:\1ec6e515c687ec3d8161d17ce64d06\update\update.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1ec6e515c687ec3d8161d17ce64d06\_sfx_.dll

Filesize
25KB

MD5
ee207e35aea4d5df41d90221e1b66efa

SHA1
757469cf9ad2f21f267bbe730560114fdf8a89a5

SHA256
cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64

SHA512
43e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d

Download Submit
C:\1ec6e515c687ec3d8161d17ce64d06\update\update.exe

Filesize
706KB

MD5
159c70c4e6bbf38aab8ac6220f44497a

SHA1
0ae927bc2752340a66c3984236ceaddad1c4b263

SHA256
19cbcdba74e18aa42414082a8941d3634e763ad4e52e399fe818139aa2331ae0

SHA512
2aeb58325113c1b7a694b9f29a1ce7b9e4e79d165fff6e69405d4ffdbd1b2fc9a51c8d4850b1bfc17b13c8608a7f92b3c77314eb30a4b9ae14b39cf3f0df25fd

Download Submit
C:\1ec6e515c687ec3d8161d17ce64d06\update\updspapi.dll

Filesize
378KB

MD5
0c74bebb2e57e61cf2372e8936aa1286

SHA1
adc79970c4e7a1d64c84a13e52c45e1f7317873d

SHA256
7890f3de15cf561a26f7e6d4009baada5a727df47ec63a7582477625e94087ed

SHA512
1d3f303b7dd953b205b18f4424284c59d43a4ca1f5556db76dccc6f26ef53099a7cc12fbcafe63135f5ff01b79ba3ce902516b2d9de1a5582b73fbf40e124e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsXPKB893357v2x86HUN.exe

Filesize
1.2MB

MD5
0322826113165615d4015d3bdc2d8d98

SHA1
c15521c93f808b16406772d62de2f1d967f4d11d

SHA256
60b4a0074bc57c412347f9bb0c5500dabf6dd9148d31f8683d46e6dfb94ba93a

SHA512
a51e617e40687e8f6a462276b9584869a07a856ed4f692eed5155ab277150b93037d2626d69e7d6143ff22e2e2cb00081793ec8f7fa3e367f42fe69bd6ec71c9

Download Submit
memory/1352-0-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1352-65-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/1352-68-0x0000000000400000-0x0000000000701000-memory.dmp

Filesize
3.0MB

Download
memory/4960-64-0x0000000002940000-0x00000000029A0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads