78a86d7921674b126d4a3e5e6513059cf75a847dee3e409a09f083c2d3376f78

General

Target

29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
Size

998KB
MD5

29a8e816886abe7054f5600210d040a1
SHA1

d5134831d99701195f0fecc30cc8ee8b891802cc
SHA256

78a86d7921674b126d4a3e5e6513059cf75a847dee3e409a09f083c2d3376f78
SHA512

d778dbedfaf1226a9b81960b4027ef040442391a38ae4132f11247814fa1772adf0d99389a2ced12faa91bcb706efd4b0a027d527a820ce42380bb7f75093770
SSDEEP

24576:IedqEi/4uK3Jfe+8PcAPiIhQk76kNil8FkC49GyJve4eg6pPhBLD:Ie81b9Fueg6PV

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\isass.exe = "\"C:\\Users\\Admin\\AppData\\Local\\isass.exe \""	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	isass.exe

Loads dropped DLL 3 IoCs

pid	Process
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
1872	isass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3052	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
Token: SeRestorePrivilege	2548	7zFM.exe
Token: 35	2548	7zFM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1872	isass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1872	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	28
PID 3068 wrote to memory of 1872	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	28
PID 3068 wrote to memory of 1872	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	28
PID 3068 wrote to memory of 1872	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	28
PID 3068 wrote to memory of 2548	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2548	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2548	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2548	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2700	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2700	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2700	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2700	3068	29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2412	2700	cmd.exe	32
PID 2700 wrote to memory of 2412	2700	cmd.exe	32
PID 2700 wrote to memory of 2412	2700	cmd.exe	32
PID 2700 wrote to memory of 2412	2700	cmd.exe	32
PID 2412 wrote to memory of 3052	2412	cmd.exe	33
PID 2412 wrote to memory of 3052	2412	cmd.exe	33
PID 2412 wrote to memory of 3052	2412	cmd.exe	33
PID 2412 wrote to memory of 3052	2412	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29a8e816886abe7054f5600210d040a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\isass.exe
  "C:\Users\Admin\AppData\Local\isass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1872
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\yeni winrar arsivi.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c syscheck.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /V isass.exe /D "\"C:\Users\Admin\AppData\Local\isass.exe \"" /f
      4⤵
      Adds policy Run key to start application
      Modifies registry key
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
168B

MD5
d3f3c14a20d4537a8287dfeeef397416

SHA1
ac0f75053a5e72ee49eb570892f5a93efb06bfbd

SHA256
589427c9fab1d3e2518f02c3186faf4dbcdbf3d741c7cdcac745b8935b768da5

SHA512
04254a19c3f587d1f7f6dbe72e9c55b2bd40451e42244d49b7d14750bf2484e726dfcb7597ffd32c6d90610b0e5ed162ff5ce59973f232f9a45e1b1feab923dd

Download Submit
C:\Users\Admin\AppData\Local\ntldr.dll

Filesize
146KB

MD5
6df55f30130fbee51845413ba4b6e95a

SHA1
f901765269f01a95807d248f00024941eef8a9fb

SHA256
39c5114cb0342ae5c6703b4bb361f1709cd26961eb623bb242b4d74c273b42ce

SHA512
96f79d673c599ec5cd63ca163472a9a2c306393354710f0f07215fd4ccf45096a5f53d510cb0ca00f5115ff10476e7fd905e9fa138950f3421000d61e3606224

Download Submit
\Users\Admin\AppData\Local\isass.exe

Filesize
416KB

MD5
048b0f742fe03bf385d950d6a30c85d2

SHA1
396a20288772c408e575e95e2e2634ce225bedb6

SHA256
93ae50cba29f2a11971d15987537ae7eb43c6a5630d508dd10c84a22974c10d9

SHA512
ef90df7454916018bb07ebf4299cd905bce0b06682f0dae04d4e05c3b7d74214c1d2940f3689086eefaa49c5b6b8e37a221c929f0a5e1e3fe5300ab791c5d6f1

Download Submit
memory/1872-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1872-21-0x0000000000600000-0x0000000000629000-memory.dmp

Filesize
164KB

Download
memory/1872-26-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3068-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/3068-24-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads