1c9940693fab631038ecce7f5b3a24d64b85e9a5de89d2db0bcc96bec23fea72

General

Target

1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe
Size

1.1MB
MD5

1927d5a81b3828dad2dcd9c70716f94d
SHA1

14f35671f902d849e240fb58c9cdcad0789d240f
SHA256

1c9940693fab631038ecce7f5b3a24d64b85e9a5de89d2db0bcc96bec23fea72
SHA512

9913634319ef1210c3bb61c602515d7975774b5d8fd0006c9789067a1292e746a8380c1b5f553195679cfa3ac68441a23e5f76364c61f7bc74df6c4e7aea2f8f
SSDEEP

24576:cuYOHRLthh3zCvKNvU1jExgSs2oZP8bkVzzmuAhFEJmQFe:S4hhBUCvDe2oZlzjAZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	44181321.exe

Loads dropped DLL 4 IoCs

pid	Process
2148	cmd.exe
2148	cmd.exe
2816	44181321.exe
2816	44181321.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00350000000141aa-17.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\44181321 = "C:\\ProgramData\\44181321\\44181321.exe"	1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\44181321 = "C:\\PROGRA~3\\44181321\\44181321.exe"	44181321.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2664	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	44181321.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe
2816	44181321.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2628	2460	1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2628	2460	1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2628	2460	1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2628	2460	1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe	28
PID 2628 wrote to memory of 2664	2628	cmd.exe	30
PID 2628 wrote to memory of 2664	2628	cmd.exe	30
PID 2628 wrote to memory of 2664	2628	cmd.exe	30
PID 2628 wrote to memory of 2664	2628	cmd.exe	30
PID 2628 wrote to memory of 2148	2628	cmd.exe	32
PID 2628 wrote to memory of 2148	2628	cmd.exe	32
PID 2628 wrote to memory of 2148	2628	cmd.exe	32
PID 2628 wrote to memory of 2148	2628	cmd.exe	32
PID 2148 wrote to memory of 2816	2148	cmd.exe	33
PID 2148 wrote to memory of 2816	2148	cmd.exe	33
PID 2148 wrote to memory of 2816	2148	cmd.exe	33
PID 2148 wrote to memory of 2816	2148	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\44181321\44181321.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im 1927d5a81b3828dad2dcd9c70716f94d_JaffaCakes118.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\PROGRA~3\44181321\44181321.exe /install
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\PROGRA~3\44181321\44181321.exe
      C:\PROGRA~3\44181321\44181321.exe /install
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44181321\44181321.bat

Filesize
304B

MD5
3e6693f5937742dcc324f8d2538a5665

SHA1
a51448ac58bc5749cf91332cd68dfb5579ac0e1d

SHA256
b4e59f7301feba341222e3bb438a6dace8ef3c751a4aab02dcadde13c1b78360

SHA512
e91d65f3f5e8c0944314fa1e7a913a92e7808acc77354c0e1bee0114263b804cc2d0760b580b251178254114e5a25e9ec78556892e15f2d78a420c9d476949c2

Download Submit
\PROGRA~3\44181321\44181321.exe

Filesize
1.1MB

MD5
1927d5a81b3828dad2dcd9c70716f94d

SHA1
14f35671f902d849e240fb58c9cdcad0789d240f

SHA256
1c9940693fab631038ecce7f5b3a24d64b85e9a5de89d2db0bcc96bec23fea72

SHA512
9913634319ef1210c3bb61c602515d7975774b5d8fd0006c9789067a1292e746a8380c1b5f553195679cfa3ac68441a23e5f76364c61f7bc74df6c4e7aea2f8f

Download Submit
memory/2460-1-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2460-2-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2460-3-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2460-4-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2460-15-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-28-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-35-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-22-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-25-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-27-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-24-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-26-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-33-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-34-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-23-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-36-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-37-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-39-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-40-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-41-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-42-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download
memory/2816-43-0x0000000000400000-0x00000000005DC000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads