ef65ff8d1127cdf737898d28247f215f62d8ee70e02faebc5ec19f18878ee4fb

General

Target

26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
Size

268KB
MD5

26a9c623d246bcd3aff93be73e73b82f
SHA1

b74e161f0c0bd87046475676d804db0f99475924
SHA256

ef65ff8d1127cdf737898d28247f215f62d8ee70e02faebc5ec19f18878ee4fb
SHA512

c97d94148c826b8bcc664bc5f22373b2362836559b0b23f76dad6d040c5f7fed0a3c726d5061a02dc69f774b4305cc66eaeb8a4b9c60f9c206f2f59d5e932003
SSDEEP

6144:ioglNYGIMfbj3pdFpTrjeNxJ4LX+a5toF4cX9ZSoab+QWgwWobEHF:i1lGAfbj3NpnjeJufY4cGDWPzg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	realupdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	sites.google.com
11	sites.google.com

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_9070507DE94D60F7B5DD071F498E2210	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_9070507DE94D60F7B5DD071F498E2210	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	realupdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	realupdate.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\realupdate.exe	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
File opened for modification	C:\Windows\realupdate.exe	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
File created	C:\Windows\UNINSTAL.BAT	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
940	1404	WerFault.exe	87

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	realupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	realupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	realupdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
Token: SeDebugPrivilege	2748	realupdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	realupdate.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 1732	2748	realupdate.exe	92
PID 2748 wrote to memory of 1732	2748	realupdate.exe	92
PID 1404 wrote to memory of 924	1404	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	96
PID 1404 wrote to memory of 924	1404	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	96
PID 1404 wrote to memory of 924	1404	26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26a9c623d246bcd3aff93be73e73b82f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 676
  2⤵
  - Program crash
  PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
  2⤵
  PID:924

C:\Windows\realupdate.exe
C:\Windows\realupdate.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1404 -ip 1404
1⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4636,i,18267267250369716772,14567143188126594249,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
ca8c3807fa27378233305a5149797acf

SHA1
999469aa1e6dfeb7ed4bc73cb978c2a49239d89e

SHA256
b9419da04db4394c4a22c80c36f61b6d06e2e3acf8df71080722733156baf77b

SHA512
39cd24e973abe4bde382c4fbbc48e51debeda5d1a4d8d53c235d64b14d409e5d2adb50403d3fb6f918e82d6a28f3e676dca99cb53d7867f22f57ca2b73994d6f

Download Submit
C:\Windows\realupdate.exe

Filesize
268KB

MD5
26a9c623d246bcd3aff93be73e73b82f

SHA1
b74e161f0c0bd87046475676d804db0f99475924

SHA256
ef65ff8d1127cdf737898d28247f215f62d8ee70e02faebc5ec19f18878ee4fb

SHA512
c97d94148c826b8bcc664bc5f22373b2362836559b0b23f76dad6d040c5f7fed0a3c726d5061a02dc69f774b4305cc66eaeb8a4b9c60f9c206f2f59d5e932003

Download Submit
memory/1404-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1404-3-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1404-9-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2748-6-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2748-23-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2748-25-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2748-28-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2748-32-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing