4291a26c357ca63c452c4dd7081e96eac302cfecda5c0d9c28c1e7e2bd3ba03c

General

Target

21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Size

168KB
MD5

21b1aa83f25c211a48af93d3f36c879e
SHA1

9bc88e363e0c6dfc27f49f9ffe7384056b91f331
SHA256

4291a26c357ca63c452c4dd7081e96eac302cfecda5c0d9c28c1e7e2bd3ba03c
SHA512

0b3df7239740e88f0d09c5ca66fd35e78702d4625a95767bd1813058f163db6b1c60951c1c8f7fc91e3e4961c3d8ca66688620e20b377a1e6f83f6dd11ffc988
SSDEEP

3072:F6Z6aMP2uB2mMfy8I1LMSglXrSzSbIQw4DfjE1FUt/GK49xElUcvg0:HtzYmu7ItEuzScr4DfjE1FUtXtP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_32\Desktop.ini	services.exe
File created	\systemroot\assembly\GAC_64\Desktop.ini	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2424	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{d21f32a5-bca1-ac50-e123-0ea1ad15e453}\@	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
File created	C:\Windows\Installer\{d21f32a5-bca1-ac50-e123-0ea1ad15e453}\n	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{d21f32a5-bca1-ac50-e123-0ea1ad15e453}\\n."	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\clsid	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
480	services.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Token: SeDebugPrivilege	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Token: SeDebugPrivilege	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
Token: SeDebugPrivilege	480	services.exe
Token: SeBackupPrivilege	480	services.exe
Token: SeRestorePrivilege	480	services.exe
Token: SeSecurityPrivilege	480	services.exe
Token: SeTakeOwnershipPrivilege	480	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1232	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	21
PID 2164 wrote to memory of 1232	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	21
PID 2164 wrote to memory of 480	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	6
PID 2164 wrote to memory of 2424	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	28
PID 2164 wrote to memory of 2424	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	28
PID 2164 wrote to memory of 2424	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	28
PID 2164 wrote to memory of 2424	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	28
PID 2164 wrote to memory of 2424	2164	21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\21b1aa83f25c211a48af93d3f36c879e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\systemroot\Installer\{d21f32a5-bca1-ac50-e123-0ea1ad15e453}\@

Filesize
2KB

MD5
c2e49826c818ec5dc77131772d064c15

SHA1
731c9d2c9d660b87df87945883744164b45f3f77

SHA256
bd40f4b68d5bba0fad92421fcc9b77ac149fcc8692e02ed5160684ae0cb6ebe9

SHA512
aee038849e172dfb1c18278e414b35e129b40501fe55a7bc35c62a42616f2ecb0c58a3313e869ec2c0a69cb6c519cffe0c59704a6aabdb9adc511b388ae9da14

Download Submit
memory/480-25-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/480-32-0x0000000000070000-0x000000000007F000-memory.dmp

Filesize
60KB

Download
memory/480-42-0x0000000000070000-0x000000000007F000-memory.dmp

Filesize
60KB

Download
memory/480-30-0x0000000000070000-0x000000000007F000-memory.dmp

Filesize
60KB

Download
memory/480-29-0x0000000000060000-0x000000000006F000-memory.dmp

Filesize
60KB

Download
memory/480-31-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/1232-10-0x0000000002560000-0x000000000256F000-memory.dmp

Filesize
60KB

Download
memory/1232-6-0x0000000002560000-0x000000000256F000-memory.dmp

Filesize
60KB

Download
memory/1232-16-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/1232-41-0x0000000002540000-0x000000000254C000-memory.dmp

Filesize
48KB

Download
memory/1232-3-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1232-14-0x0000000002560000-0x000000000256F000-memory.dmp

Filesize
60KB

Download
memory/1232-15-0x0000000002570000-0x000000000257F000-memory.dmp

Filesize
60KB

Download
memory/1232-17-0x0000000002570000-0x000000000257F000-memory.dmp

Filesize
60KB

Download
memory/1232-38-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2164-36-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-37-0x000000000041D000-0x0000000000421000-memory.dmp

Filesize
16KB

Download
memory/2164-0-0x000000000041D000-0x0000000000421000-memory.dmp

Filesize
16KB

Download
memory/2164-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing