d72e099c7c7ddb8533ebbbfe7db8430be5301dd8b54c085a637dcce9b3f87b98

General

Target

2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Size

157KB
MD5

2208aaa95b499465dad1591035429009
SHA1

43b2864913c46b70c454aca239eaabc70de569bc
SHA256

d72e099c7c7ddb8533ebbbfe7db8430be5301dd8b54c085a637dcce9b3f87b98
SHA512

da30974b8f483b4ca09ca2666f3c96ec3729fd2435f8cc039ac6d43ba17a9afdee45bc4bb5fda607439e19e7f4f76c9053ec2b8a51fa2edcf4a3ef0715c5854c
SSDEEP

3072:iU1PB0i/7jyEFlIc78wZAXsBVfv5gtE2jAK6ie8rtoukEruSZJX:JBB/7BFOEYXC15gWgX6ieytoud

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5024	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
3420	Explorer.EXE

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	91.242.217.247
Destination IP	66.85.130.234
Destination IP	91.242.217.247

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 5024	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	81

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\clsid	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3558294865-3673844354-2255444939-1000\\$ea2e2158aac05fcd2251cfe270de11a2\\n."	2208aaa95b499465dad1591035429009_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Token: SeDebugPrivilege	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe
Token: SeDebugPrivilege	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3420	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	56
PID 1320 wrote to memory of 3420	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	56
PID 1320 wrote to memory of 5024	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	81
PID 1320 wrote to memory of 5024	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	81
PID 1320 wrote to memory of 5024	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	81
PID 1320 wrote to memory of 5024	1320	2208aaa95b499465dad1591035429009_JaffaCakes118.exe	81

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:3420
- C:\Users\Admin\AppData\Local\Temp\2208aaa95b499465dad1591035429009_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2208aaa95b499465dad1591035429009_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\$ea2e2158aac05fcd2251cfe270de11a2\n

Filesize
25KB

MD5
031f24073b43717e018ba0c5f62cb0c2

SHA1
504008e17d774bdfd3996ce8cf521277ca620ca9

SHA256
9abdc34bee90330fa2505f0c3f74eda6036e5adf22cc8bcd57192d0bf6f17946

SHA512
c9a163bc5cd6171013e38ee418737f0ee383b733090648d8879b259b0659d803c23d2e62b6e34e9897c436f35984ccc4f29d552a975f03292774834279f07d37

Download Submit
memory/1320-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1320-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1320-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1320-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3420-3-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/3420-7-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing