d72e099c7c7ddb8533ebbbfe7db8430be5301dd8b54c085a637dcce9b3f87b98

General

Target

2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Size

157KB
MD5

2208aaa95b499465dad1591035429009
SHA1

43b2864913c46b70c454aca239eaabc70de569bc
SHA256

d72e099c7c7ddb8533ebbbfe7db8430be5301dd8b54c085a637dcce9b3f87b98
SHA512

da30974b8f483b4ca09ca2666f3c96ec3729fd2435f8cc039ac6d43ba17a9afdee45bc4bb5fda607439e19e7f4f76c9053ec2b8a51fa2edcf4a3ef0715c5854c
SSDEEP

3072:iU1PB0i/7jyEFlIc78wZAXsBVfv5gtE2jAK6ie8rtoukEruSZJX:JBB/7BFOEYXC15gWgX6ieytoud

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1172	Explorer.EXE
480	services.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2532	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-1298544033-3225604241-2703760938-1000\\$2afc3a57583bdc376af87a4ab5357b5e\\n."	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$2afc3a57583bdc376af87a4ab5357b5e\\n."	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\clsid	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	2208aaa95b499465dad1591035429009_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Token: SeDebugPrivilege	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Token: SeDebugPrivilege	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Token: SeBackupPrivilege	480	services.exe
Token: SeRestorePrivilege	480	services.exe
Token: SeSecurityPrivilege	480	services.exe
Token: SeTakeOwnershipPrivilege	480	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1172	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	21
PID 2132 wrote to memory of 1172	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	21
PID 2132 wrote to memory of 480	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	6
PID 2132 wrote to memory of 2532	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2532	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2532	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2532	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2532	2132	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	28

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1172
- C:\Users\Admin\AppData\Local\Temp\2208aaa95b499465dad1591035429009_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2208aaa95b499465dad1591035429009_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$2afc3a57583bdc376af87a4ab5357b5e\@

Filesize
2KB

MD5
f56663769a709a01ad0d98a18c4e5ea9

SHA1
ff06bd2f0130f5cf7af66f1d792c8896f0da2d7e

SHA256
36c87d0866fb07387bf11311db1c20a6f9432b5d88d4ef28fd72bebf3ad21d7d

SHA512
7b6b9db83e7c742dc7da9b7241245a901d49e22c7b66c19892610064768ae313951ce06f2466de867739ad9c63038b043fdaba783df5cdf4f68dfc007a8a9a92

Download Submit
C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\$2afc3a57583bdc376af87a4ab5357b5e\n

Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
memory/480-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/480-20-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1172-3-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1172-8-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1172-18-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1172-19-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2132-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2132-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2132-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing