d7f38129d6fac3fce33d48e0c807bf3ea5a55a851e8bab94193397789b6a3538

General

Target

18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe
Size

1.5MB
MD5

18014499be9533a6b2cdae9f067901e8
SHA1

7d09e9056ca374c97195bfd5319c8d86c26fc703
SHA256

d7f38129d6fac3fce33d48e0c807bf3ea5a55a851e8bab94193397789b6a3538
SHA512

e61139679b3a881daee1605226b93c67558ce36434043b302511ef02c8d8f610be6b9040164391c62c73c4543c8cb52d0c10f15d6e0fa3220d362e1275041fad
SSDEEP

24576:gkgsDF33flr0Nzh/dlSYTj74mctR2SdjglZgRMGdG8W3zG39RNERA96Eqme/8E/w:gUuiJ9/De+pM6xrtUowQrsiweGuA5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2512	aaa1b.exe
2568	tested.exe
2812	progx64.exe
2576	aaa2b.exe
1124	Explorer.EXE

Loads dropped DLL 8 IoCs

pid	Process
2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe
2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe
2512	aaa1b.exe
2512	aaa1b.exe
2568	tested.exe
2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe
2568	tested.exe
2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Users\\Admin\\AppData\\Roaming\\tested.exe"	aaa1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1124	Explorer.EXE
Token: SeDebugPrivilege	2576	aaa2b.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2512	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2512	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2512	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2512	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	28
PID 2512 wrote to memory of 2568	2512	aaa1b.exe	29
PID 2512 wrote to memory of 2568	2512	aaa1b.exe	29
PID 2512 wrote to memory of 2568	2512	aaa1b.exe	29
PID 2512 wrote to memory of 2568	2512	aaa1b.exe	29
PID 2568 wrote to memory of 2812	2568	tested.exe	30
PID 2568 wrote to memory of 2812	2568	tested.exe	30
PID 2568 wrote to memory of 2812	2568	tested.exe	30
PID 2568 wrote to memory of 2812	2568	tested.exe	30
PID 2324 wrote to memory of 2576	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2576	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2576	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2576	2324	18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1124	2812	progx64.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1124
- C:\Users\Admin\AppData\Local\Temp\18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\18014499be9533a6b2cdae9f067901e8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\aaa1b.exe
    "C:\Users\Admin\AppData\Local\Temp\aaa1b.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Roaming\tested.exe
      "C:\Users\Admin\AppData\Roaming\tested.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Roaming\progx64.exe
        
        "C:\Users\Admin\AppData\Roaming\progx64.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
- - C:\Users\Admin\AppData\Local\Temp\aaa2b.exe
    "C:\Users\Admin\AppData\Local\Temp\aaa2b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaa2b.ini

Filesize
34B

MD5
033a628e1afacdd3862e3dcd8000c95e

SHA1
933f2c923ea4398522b2bd4a7b38cac27798f5f5

SHA256
0e26ba9de847ab5498e2391537338b0118649bcfa4b35cec6be3332063aabee9

SHA512
4ae4c5cfe3ddb4a901a072fbb9767bab966cb624ba93f061e74f103d36ef70f674d6a345d5eaff98ca64486123777a768041c6998a76ac92847477c5c3681571

Download Submit
C:\Users\Admin\AppData\Roaming\lib.dll

Filesize
9KB

MD5
52cd868074a0d837bdbc82e6e7638913

SHA1
9c5c7dac6c86551e38161d2c41e7e6c7585a7b0c

SHA256
d41989e72902a362dae14714ce3487c385123238d00a02380b3db3572bb2ec74

SHA512
f9297331c026398962dd497e85bca0e2981bd2214282ff01b883e0bbca0bbd5a3e2873cc65a2edfd7660c2714a51a5b4bf32ce958a29ba1417978c499505545d

Download Submit
\Users\Admin\AppData\Local\Temp\aaa1b.exe

Filesize
23KB

MD5
981adce99a0d9420bc3b1e15983ed390

SHA1
bbeaa418c600af58ce3cf0e26dafddd492691a92

SHA256
cb6056b4f26016278a9b6d7b0e4f89178321af2e1cdb8fe9d5f8b9c892554cdd

SHA512
204fe1ef3b2e19bfaf4872295c978cd6a9b993dc6b196bb6e4e9111c772233866b77f074eebd934b0123d51faefdd944610786a06d519c57fe6fd7445283e1b4

Download Submit
\Users\Admin\AppData\Local\Temp\aaa2b.exe

Filesize
1.4MB

MD5
a8d8531a3995494a1cfc62f7e7cc77ec

SHA1
867240ca5e6af8b0fc1afa5a48a1cc10e25d3169

SHA256
9d532bea2b3bc32afc3656bc2d1ae29bc5cda57cae173210255296ec87c9db4f

SHA512
24bda81c59e2eddda428d7b240eaee607fb63bcbf5ab2109d6b127300495b24486389696048413c2b9fd47363b2fde72bb37de545191a02bc22a704fd104cf48

Download Submit
\Users\Admin\AppData\Roaming\progx64.exe

Filesize
12KB

MD5
926ee9c806f0adf82ac847f1b8187605

SHA1
91fc00a8b153ae63855f0ddefe789fcde7fb5514

SHA256
c36542a3f427d90fd9dc0566682dc1c60be194947588d6766ef098007c655280

SHA512
5f360d5997b4c3e2aa9991dff82a78a2dca2f8a0c8cc9c77bec94653f8bd690db8a4bc82bd68dcd4300bf22356c87568c8748b04689dc08afac608f2b7bbf29a

Download Submit
memory/1124-35-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2576-51-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-54-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-49-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-50-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-47-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-52-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-53-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-48-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-55-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-56-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-57-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-58-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-59-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2576-60-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads