7331c6f0e3299dfde3072ee02fbb2a04a02bae462cd72655edfc00ce64b0f527

General

Target

10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Size

36KB
MD5

10174b833b267f8b11705fea59353010
SHA1

7292935c98df42f46492d9e1780a0e024833fff4
SHA256

7331c6f0e3299dfde3072ee02fbb2a04a02bae462cd72655edfc00ce64b0f527
SHA512

13516408113f36fd67f68aa911bccd3aa8fa38c96b41a4f08c45a2d8bae16e1d6f41c2c2fa96fd900e9201049801b3948ca3c8de1a431b9fc2192860d2e9fdd3
SSDEEP

384:r+exS/1lQRlUAqjjJeIamT/By2Aq4i9/:9xStlQRlUA0JNamTBy2F4i9/

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Modifies Shared Task Scheduler registry keys 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{203B1C4D9-BC71-8916-38AD-9DEA5D213614} = "OLE Module"	10174b833b267f8b11705fea59353010_JaffaCakes118.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 4 IoCs

pid	Process
2088	rundll32.exe
2088	rundll32.exe
2088	rundll32.exe
2088	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bre.dll	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bre32.dll	10174b833b267f8b11705fea59353010_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\Microsoft\Internet Explorer\Security	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Security\aaab = "1"	rundll32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32\ = "C:\\Windows\\SysWow64\\bre.dll"	10174b833b267f8b11705fea59353010_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32\ThreadingModel = "Apartment"	10174b833b267f8b11705fea59353010_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28
PID 1704 wrote to memory of 2088	1704	10174b833b267f8b11705fea59353010_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\10174b833b267f8b11705fea59353010_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10174b833b267f8b11705fea59353010_JaffaCakes118.exe"
1⤵
- Modifies Shared Task Scheduler registry keys
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\bre.dll, load
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bre32.dll

Filesize
39B

MD5
de36ba14c18e88607bcfe1a360d59217

SHA1
e2008cbc72c9d8651af1029645df9b3198923eff

SHA256
c00db3732cf746d140a4c4037c83f014c3a9ecbfdd66df11075bfad21cdbf497

SHA512
851bd5331ab03464e8681897e9001f46987396ddc20bbb1bd5e44577fec6afa89e86e14fb6a6439f2880103148583dad40283ebf9038663ced16c27905507066

Download Submit
\Windows\SysWOW64\bre.dll

Filesize
7KB

MD5
3b935062248a85c1cfcfc635ee675b11

SHA1
5db42b2dcd7d2a9138c1a7e2ff53fda8b411c11e

SHA256
41e3ec343c183af58d3f8421e8831144da0d9d0723aadafa4d6a538a451a84f2

SHA512
4ac47843b5f82acad360f289a39d34ed70a8925a2032376ad8da8c3956e135c8c3b7745979562c792351489f2c595bec964be1db1c2ba663d494657d9229d7d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads