6b1193b6ccc722230422035c730490cedb7910b42a034bb5f2578698c4692ff0

General

Target

21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
Size

1.2MB
MD5

21a2d7f652f0b77d0bfd93de94f7eebc
SHA1

4c70ee83a8a40d98389c52ccafe7e38fd48e8928
SHA256

6b1193b6ccc722230422035c730490cedb7910b42a034bb5f2578698c4692ff0
SHA512

eefadf9b6fb755d650176df166c76ac28bab3a31fcb3fba01deb89c3ccb2a99659b009821f77b6ad5629b8ec878f677c1b535dbe44a06430c8e74beb5fe8c1e4
SSDEEP

24576:NjOHprB3g/B74QFwhMZBThQyU1WQWmQ72aDqUHV71D1c:yWN78qD31c

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tetss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\tetss.exe \""	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	tetss.exe

Loads dropped DLL 4 IoCs

pid	Process
4712	tetss.exe
4712	tetss.exe
4712	tetss.exe
4712	tetss.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2540	reg.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
4712	tetss.exe
4712	tetss.exe
4712	tetss.exe
4712	tetss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4712	tetss.exe
4712	tetss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4140	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe	81
PID 4472 wrote to memory of 4140	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe	81
PID 4472 wrote to memory of 4140	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe	81
PID 4140 wrote to memory of 3548	4140	cmd.exe	83
PID 4140 wrote to memory of 3548	4140	cmd.exe	83
PID 4140 wrote to memory of 3548	4140	cmd.exe	83
PID 3548 wrote to memory of 2540	3548	cmd.exe	84
PID 3548 wrote to memory of 2540	3548	cmd.exe	84
PID 3548 wrote to memory of 2540	3548	cmd.exe	84
PID 4472 wrote to memory of 4712	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe	85
PID 4472 wrote to memory of 4712	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe	85
PID 4472 wrote to memory of 4712	4472	21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21a2d7f652f0b77d0bfd93de94f7eebc_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c syscheck.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V tetss.exe /D "\"C:\Users\Admin\AppData\Local\tetss.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V tetss.exe /D "\"C:\Users\Admin\AppData\Local\tetss.exe \"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:2540
- C:\Users\Admin\AppData\Local\tetss.exe
  C:\Users\Admin\AppData\Local\tetss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
168B

MD5
3f8aa4f1752d23d44870b331fd2a5b4f

SHA1
de799ee8ea491a2032b6aa1775056dbe6d559636

SHA256
30012b9eecf7542fcac72861928214cd6748570924630a9963ac40d1182dbbf4

SHA512
972090d495b3de5b0fc464b419216b06340a7ebdda76a05cdc503ebe7f8ac45938e08d956130aef7366848747fa8061cf3f7160f006acef86852d0d0d2f90842

Download Submit
C:\Users\Admin\AppData\Local\ntdata.dll

Filesize
285KB

MD5
fe2232f82e4beb5ae483da8e699e1a51

SHA1
ed2131d0f70e709f8791bfff64d2b8a4cb658ed5

SHA256
0cb462094392aeb31dd7588d95de2577efd0987315be0ce84a531c26bee3b49e

SHA512
df9ab5afb94cff850dd5c4b4ba0cfcd77d4a5887ac85a60db223eba8c5d1d64467d77c6133b8e1f5ca795deae3623717ff4cc669919d9f96ef6df193187fcc0b

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
237KB

MD5
6a0abfeea0ca8ba5a20d356613084276

SHA1
5c1031c0494c8b6d712e4cc17a3feed8df8b589a

SHA256
20d4e1635d54a1726769e56e0f93c7ebeb1e1ccc9e7dd1b7d3c54b2a9c689bf7

SHA512
3a71dfb18d09274bda72487745a4fdcbe936b8437c873b0209480058e0e7580a63515e4bd236e885ba5144d83848d23179cfacc18e04d44f7f24e815b462facc

Download Submit
C:\Users\Admin\AppData\Local\tetss.exe

Filesize
508KB

MD5
35af8234272b534da59ea1a1c0a0efc2

SHA1
2d5eac2208826964fb9d2883bc41f86c97d18c8c

SHA256
52bc4ec96ac4b55dbc7f22a38f1676ea056b85620be4371c97063cdac51d2b72

SHA512
e8d22ca63a5a8dd40c146ebd41c573877d8d6c9fe4d9113c2ab4ad82562b5706cdd1abc8aa117da90c55ae5a7ff5e33a3bfea14170bcfdea5c972ee540fde0c7

Download Submit
memory/4472-17-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/4712-14-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/4712-16-0x0000000000780000-0x00000000007CC000-memory.dmp

Filesize
304KB

Download
memory/4712-20-0x0000000000780000-0x00000000007CC000-memory.dmp

Filesize
304KB

Download
memory/4712-18-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4712-19-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/4712-24-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads