c94dc5b6f0d696af75b1679996ee00259cbf45d9a76589f46ef90ba0a45820ef

General

Target

08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe
Size

4KB
MD5

08f8c195222dadf7b16c139ac65c4d7e
SHA1

fb4c1dde95a4b28f31e21f71764c6aa673167926
SHA256

c94dc5b6f0d696af75b1679996ee00259cbf45d9a76589f46ef90ba0a45820ef
SHA512

2228f3ba7ed94aad225cb837b7fa5da461620ff718e508db75c02b5edff412c14c0ab9e67060c2be75a939310508b02004d73f2d52e14045a2fb09f2468fb309
SSDEEP

48:6a8BSEb+hDiAVV7J0VlTBVITb++HvqRrWOG947JYSppqU:18MEbSVly6TXvqQmJ/pqU

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\0.Ä	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2160	2432	WerFault.exe	27

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.Ä	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Ä_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Ä_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Ä_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Ä_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.Ä\ = "Ä_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Ä_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Ä_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2904	AcroRd32.exe
2904	AcroRd32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2060	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	28
PID 2432 wrote to memory of 2160	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2160	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2160	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	29
PID 2432 wrote to memory of 2160	2432	08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe	29
PID 2060 wrote to memory of 2904	2060	rundll32.exe	30
PID 2060 wrote to memory of 2904	2060	rundll32.exe	30
PID 2060 wrote to memory of 2904	2060	rundll32.exe	30
PID 2060 wrote to memory of 2904	2060	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08f8c195222dadf7b16c139ac65c4d7e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\0.Ä
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\0.Ä"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 164
  2⤵
  - Program crash
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
36d3b67706d736854cd4c7ce6f4b8c92

SHA1
b05bd3e45cc923df90a42c06302774f310eb1d01

SHA256
f352814d88b00f69044c1abe5e4e13e7ade6e0eacc315586ccd67ae0c5366565

SHA512
cf1e9ff8326aa1f5fa9c33f651b15f65dae55c8a2160e724a16bd91f43a9dc1c9b6fca8699018f6b22730bec0c05f13cca953970742f951afacf55cffa7c3815

Download Submit
C:\Windows\0.Ä

Filesize
911B

MD5
e4afef42274cf66c5f26c4a56eed2172

SHA1
1d3a4359ebe1a4a088ba3310ea13710d9b8e059b

SHA256
dac023d7f861c000a70a74397d13a1788a075c613285dcd670dbfe58ffc38140

SHA512
a204bedeccc134b9e8ac870cb6960bb12007a5949b2fe5c7805fb20af616768eeff533bfbf9852abd0ec77b4935e1a637c3b2ea997999e95647877ff99e8da9a

Download Submit
memory/2432-2-0x0000000000400000-0x0000000000401080-memory.dmp

Filesize
4KB

Download

Analysis

Sharing