dfb19d6e1d3db0574513492ca16859cda01dbcfd4f16220a8a02e13892adc353

General

Target

253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe
Size

1.4MB
MD5

253ae13ced521c757ac7a4aa9807c754
SHA1

d8d2aa3a6edfd8c80e9f7067345dac11db3a8c41
SHA256

dfb19d6e1d3db0574513492ca16859cda01dbcfd4f16220a8a02e13892adc353
SHA512

be2f7869c8548442bd14962f0f4fff4e11d5a347d63feb6214449540be6a70652a800a361e8bc6ccc7a9a64c88982e93e97ae3dba9d59eb8b5cfdf682fb58623
SSDEEP

24576:w3f9R75BbW8+quhlMOuRevofYqzj/gLPE93eAwUu/:w3ljNWcuMOuRDYqz5xPS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2464	SERVER~1.EXE
2192	21002001.xinwen365.com
2664	SERVER~1.EXE

Loads dropped DLL 6 IoCs

pid	Process
2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe
2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe
2464	SERVER~1.EXE
2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe
2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe
2664	SERVER~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	SERVER~1.EXE
File opened for modification	C:\Windows\LBWREE.DAT	SERVER~1.EXE
File created	C:\Windows\SPRABS.DAT	SERVER~1.EXE
File opened for modification	C:\Windows\21002001.xinwen365.com	SERVER~1.EXE
File created	C:\Windows\MUFTJE.DAT	SERVER~1.EXE
File created	C:\Windows\LBWREE.DAT	SERVER~1.EXE
File created	C:\Windows\21002001.xinwen365.com	SERVER~1.EXE
File opened for modification	C:\Windows\21002001.xinwen365.com	SERVER~1.EXE
File opened for modification	C:\Windows\MUFTJE.DAT	SERVER~1.EXE
File created	C:\Windows\COVOFY.DAT	SERVER~1.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	SERVER~1.EXE
Token: SeDebugPrivilege	2192	21002001.xinwen365.com
Token: SeDebugPrivilege	2664	SERVER~1.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2192	21002001.xinwen365.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2192	21002001.xinwen365.com
2192	21002001.xinwen365.com
2192	21002001.xinwen365.com

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2464	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	28
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2464 wrote to memory of 2748	2464	SERVER~1.EXE	31
PID 2192 wrote to memory of 2720	2192	21002001.xinwen365.com	30
PID 2192 wrote to memory of 2720	2192	21002001.xinwen365.com	30
PID 2192 wrote to memory of 2720	2192	21002001.xinwen365.com	30
PID 2192 wrote to memory of 2720	2192	21002001.xinwen365.com	30
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2664	2176	253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\253ae13ced521c757ac7a4aa9807c754_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

C:\Windows\21002001.xinwen365.com
C:\Windows\21002001.xinwen365.com
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\LBWREE.DAT

Filesize
53KB

MD5
af37507e8b0d84c6cc7eedd2570e0597

SHA1
de7335ac57d9ea45322aec395ef0984711caaeea

SHA256
49c9d97b5d717bcc56f69cdba0475e015a201e8cb8252c5aa3dbc99c5af99d97

SHA512
3659d77facc27b3c583081d14d5947cfa3019004c8d433c32855d20801431f09caef2010d0744fbaf578c9ba0577359a19c0678e78c8b29845106f2afd4c0f78

Download Submit
C:\Windows\MUFTJE.DAT

Filesize
51KB

MD5
cc4a3cb525461b2363327a575e7480da

SHA1
67f67c3aad9e70a8ffa24c8bf70d5b598462aac2

SHA256
feb7adeda75f151db03bb09101a1a929b2d926750b42b37a2776e040d6226253

SHA512
49289608ae17247b04bb8fe294b227bcae0537e465d541ca08291823ab3906cd9becd48ef7401f0b956db54f819c480b06dc9ceaea0d2ab86222f780a9c2dea3

Download Submit
C:\Windows\uninstal.bat

Filesize
164B

MD5
924ea7ae6df752587469376459875c51

SHA1
ec5fa69c7e5dcaf5b57eefadc4f25a8e4ae073e1

SHA256
46c715ac82d5774479b760757498ddb0b9f75cebc116a3da81f9e438bc9bbb09

SHA512
ea7b176a411b82faf5fcd785c67180f88f9ff28f7e24c4f4b49f8e7cdc99fb60e38722b61547a4291bdd2c56b3729045c2e8d4afbecfe03612ab0dd8a7b6ae35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER~1.EXE

Filesize
299KB

MD5
68145809f366746773ff48894a8e53e6

SHA1
2ba31a05fcc433509ab233ed9743c47fc212c92e

SHA256
89641cffd49c6805f1f31cacb8a892ba2c88a268be44d8853008214e7ead0571

SHA512
12fcbccb7ae6eaaa466035d5b8412f6a27cc5826feee89ea5b71eaa66b7ef53e5a290bca1b459fb83a9e09de06031e06d9c09f0b62b71d8d9161407e3c4bec2d

Download Submit
memory/2176-1-0x0000000001000000-0x0000000001163000-memory.dmp

Filesize
1.4MB

Download
memory/2176-10-0x0000000000B60000-0x0000000000CD9000-memory.dmp

Filesize
1.5MB

Download
memory/2176-53-0x0000000001000000-0x0000000001163000-memory.dmp

Filesize
1.4MB

Download
memory/2176-12-0x0000000000B60000-0x0000000000CD9000-memory.dmp

Filesize
1.5MB

Download
memory/2176-41-0x0000000001000000-0x0000000001163000-memory.dmp

Filesize
1.4MB

Download
memory/2176-0-0x0000000001000000-0x0000000001163000-memory.dmp

Filesize
1.4MB

Download
memory/2176-42-0x0000000000B60000-0x0000000000CD9000-memory.dmp

Filesize
1.5MB

Download
memory/2176-44-0x0000000000830000-0x0000000000993000-memory.dmp

Filesize
1.4MB

Download
memory/2192-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2192-54-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2192-39-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/2192-37-0x0000000001D70000-0x0000000001D82000-memory.dmp

Filesize
72KB

Download
memory/2192-24-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2192-57-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/2192-56-0x0000000001D70000-0x0000000001D82000-memory.dmp

Filesize
72KB

Download
memory/2192-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2192-22-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2192-55-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2464-16-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2464-13-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2464-34-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2664-52-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2664-48-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2664-46-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2664-47-0x0000000000B40000-0x0000000000CB9000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads