3336d0a792b14da9c3249f04be5b2c4c78f36232957d20326c5dec67ba5855d7

General

Target

2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe
Size

20KB
MD5

2122a171e6197bd8d1aa986dacf033e7
SHA1

aa2f603cc0f553d94527c087af91e8805e049206
SHA256

3336d0a792b14da9c3249f04be5b2c4c78f36232957d20326c5dec67ba5855d7
SHA512

ea8bec085682c6955d46b0d6fe9999e340a5bc85790b6489b7e03816e0e5cc8dfad4b28ec6e9fd0cbc0ae7921869343830daf531565ae4b0c06419dad97ff362
SSDEEP

384:+E20kjGwdjuMGaJHDVcNTXkkgl6QUUVrV90Tfi3t5Mn7s1LEFeeHbamXF:+Exk6wdjuaJRcNzkkeUUFV9Yfee8keet

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe rundll32.exe calc.ifo before1main"	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3120	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe
3120	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\calc.ifo	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\calc.ifo	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idid	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\idid\idid = "384453393"	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3212	WINWORD.EXE
3212	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3008	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE
3212	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3120	3008	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe	89
PID 3008 wrote to memory of 3120	3008	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe	89
PID 3008 wrote to memory of 3120	3008	2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2122a171e6197bd8d1aa986dacf033e7_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Modifies registry class
  PID:3120

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3C8C.tmp

Filesize
22KB

MD5
0b124a35686f686c0d80ed6f1c5155de

SHA1
57783ff5b2ec605ecb2357ea025604de6086557e

SHA256
e12a7b8e61de8d43494040de92c8dce6421b92f42bbf92b4b408601f0f87aee2

SHA512
4afe56902be0e7896b4e6554ea6c24a62170bbdd98de70f8d1a509b1204abd334d08c5809c7d9eae29edccb057d57d5d751d174f5b81119b22daf8993d53998f

Download Submit
memory/3008-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3008-34-0x0000000060380000-0x000000006038D000-memory.dmp

Filesize
52KB

Download
memory/3120-52-0x0000000060380000-0x000000006038D000-memory.dmp

Filesize
52KB

Download
memory/3120-51-0x0000000060380000-0x000000006038D000-memory.dmp

Filesize
52KB

Download
memory/3120-50-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-16-0x00007FFB0C830000-0x00007FFB0C840000-memory.dmp

Filesize
64KB

Download
memory/3212-19-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-11-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-12-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-13-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-15-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-9-0x00007FFB0F190000-0x00007FFB0F1A0000-memory.dmp

Filesize
64KB

Download
memory/3212-14-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-17-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-10-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-18-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-20-0x00007FFB0C830000-0x00007FFB0C840000-memory.dmp

Filesize
64KB

Download
memory/3212-21-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-7-0x00007FFB0F190000-0x00007FFB0F1A0000-memory.dmp

Filesize
64KB

Download
memory/3212-8-0x00007FFB4F1AD000-0x00007FFB4F1AE000-memory.dmp

Filesize
4KB

Download
memory/3212-37-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-42-0x00007FFB4F110000-0x00007FFB4F305000-memory.dmp

Filesize
2.0MB

Download
memory/3212-5-0x00007FFB0F190000-0x00007FFB0F1A0000-memory.dmp

Filesize
64KB

Download
memory/3212-6-0x00007FFB0F190000-0x00007FFB0F1A0000-memory.dmp

Filesize
64KB

Download
memory/3212-4-0x00007FFB0F190000-0x00007FFB0F1A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads