4f1c4b6ca3f0a7cdb57fa8156b19679e143c80562bdc9d81cea2dabd36b0f014

General

Target

2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe
Size

372KB
MD5

2acbd8a671193b7b6dec22cebac70df0
SHA1

cd633e094c1b876f6860a2af10da9c2b32556949
SHA256

4f1c4b6ca3f0a7cdb57fa8156b19679e143c80562bdc9d81cea2dabd36b0f014
SHA512

3b7de118127d8837c8ec6f2f266be63fb1bca40693f2d11324555be2faacdb8c984f3e8aeba925f055a51aede5fa3c8447bbf6759fdc9a4dcf199944cf594511
SSDEEP

6144:7eOW6J3Bq5YIjF2idZecnl20lHRxp3gUFAzXmcIYv8QCo/cfoYCfHgwc2jY+/oD:7pyYYF3Z4mxxbYw4Bq4YwhTC

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\mpeg4c32.dll"	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\RemoteAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\mpeg4c32.dll"	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1844	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mpeg4c32.dll	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mpeg4c32.dll	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2860	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
832	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe
Token: SeDebugPrivilege	2860	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2860	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2860	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2860	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	30
PID 2224 wrote to memory of 2860	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	30
PID 2224 wrote to memory of 1844	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 1844	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 1844	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	33
PID 2224 wrote to memory of 1844	2224	2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe	33
PID 1844 wrote to memory of 832	1844	cmd.exe	35
PID 1844 wrote to memory of 832	1844	cmd.exe	35
PID 1844 wrote to memory of 832	1844	cmd.exe	35
PID 1844 wrote to memory of 832	1844	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360tray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping localhost -n 1 && del "C:\Users\Admin\AppData\Local\Temp\2acbd8a671193b7b6dec22cebac70df0_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-1-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/2224-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2224-9-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2224-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2224-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2224-6-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2224-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2224-10-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2224-5-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2224-12-0x0000000003180000-0x0000000003182000-memory.dmp

Filesize
8KB

Download
memory/2224-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2224-3-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2224-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2224-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2224-17-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2224-25-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2224-32-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2224-31-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2224-30-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2224-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2224-27-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2224-26-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2224-24-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2224-23-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2224-22-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2224-21-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2224-20-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2224-19-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2224-18-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2224-16-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2224-15-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2224-14-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2224-13-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2224-35-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2224-36-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing