149c8a8c8325fb518b0fc245601f5e6a2283a4cb1506068248500b28bcad6083

General

Target

14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
Size

181KB
MD5

14a23e97f8d4e4f2c2b93f795eb15560
SHA1

97340c6149e32d76fea3a2c8cadf8fe5a98e33a3
SHA256

149c8a8c8325fb518b0fc245601f5e6a2283a4cb1506068248500b28bcad6083
SHA512

896d7c2e960bc414632fcab550cf08b9ec528f1615272c29aeb40bcdde7ab7973ebd0ff0183680704ad4c9467e6c2e0ca3472c65c8ed64426a2dffe35521683c
SSDEEP

3072:si9h/0vGtBOuIUw5pPX/+Y3afecc1GXeKxotHrNK+UDrVse2h:fztktvp/+YmGRUvJc

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	dplaysvr.exe

Loads dropped DLL 3 IoCs

pid	Process
1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
2952	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2952	dplaysvr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
2952	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2952	1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe	29
PID 1716 wrote to memory of 2952	1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe	29
PID 1716 wrote to memory of 2952	1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe	29
PID 1716 wrote to memory of 2952	1716	14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\14a23e97f8d4e4f2c2b93f795eb15560_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2D67.tmp

Filesize
77KB

MD5
f528c47782f5e0071fccfa4e9e48fed4

SHA1
ba012bcc307ab0ede3587550c9d7339fa43fbb7e

SHA256
7453ac5ef7f2a09f4dbde0c02866f6aa74ad7e123861e532818e1f40cdfefcbb

SHA512
29709e8993dbf2ac36653885b9a22f8bd8d61fb4ce6f77d5603c3f2cf1781b7b299ccb88c94bcbcc4c9cd36e4e0d5b4d9b3b91c52d2fc95387125553e3136409

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D68.tmp

Filesize
57KB

MD5
3ef19a7f2d85513048a8ccf42b4517c0

SHA1
2f504c2a48043454083dd0ac4361eb27c7e7e087

SHA256
0b68f4be0ad3f6720414cdaa4c90ab5bb84e1e4cd9d3e209f277c36f0ba5f630

SHA512
771af87b9a59455727a8c6b353f031c00af8f5a4a600b2190f547d2bc1fbe9ddbb5b4bf92530e7ab0359daa16b28031d871addff25d9f59be9e2f4d46b956e15

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
882B

MD5
d9dc78b1be3d670726c00679c7f3b14b

SHA1
b269e7e97ea12365a39a3037b9e7c7561019d0ff

SHA256
5fdd84fdbb9a3cbd2e70232d0c8d8ecbe9b25dabafbaa48a341c27b01057f041

SHA512
89e00860d64bd21ba33985087a1fdde2f33e762fd5eecf812e68d45a9f81e36a7d6cafabc0a4aac4d48abe32e64bc12cb45f6f10bcf44ff9c2beaedb51a20681

Download Submit
memory/1716-3-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/1716-4-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1716-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1716-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2952-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2952-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2952-24-0x00000000002D0000-0x00000000002E3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads