ab98a5f6d8ebdfd512746f65a31dbc6f899873c3f796bd911f895217cd5831c6

General

Target

2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe
Size

202KB
MD5

2d12d5515398d39ff5964cfb2f0c4786
SHA1

99dddacec9c7b10e344efdfd25b38765cb30ee46
SHA256

ab98a5f6d8ebdfd512746f65a31dbc6f899873c3f796bd911f895217cd5831c6
SHA512

c220dcf6f1101137b6eeebd5609635050e26095a505cb44b8c27954989a8c3d63fd6eb9dbee263d04660849b794190fb6fb6bd2651db75cb5e5ca82bf6a46ad6
SSDEEP

6144:cQH1TknB9azBa4mo3Sn9nkwqK0wCwfEXTbFfhOY2eu0s:cQH1TknB9ABagSnqQ0kfu1fhOY4

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1404	Explorer.EXE

Loads dropped DLL 7 IoCs

pid	Process
2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2736	rundll32.exe
2616	cmd.exe
2668	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\chkn_ssp.dll	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\chkn_ssp64.dll	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2736	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2736	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2736	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2736	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2616	2528	2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe	30
PID 2736 wrote to memory of 1404	2736	rundll32.exe	20
PID 2736 wrote to memory of 1404	2736	rundll32.exe	20
PID 2616 wrote to memory of 2668	2616	cmd.exe	32
PID 2616 wrote to memory of 2668	2616	cmd.exe	32
PID 2616 wrote to memory of 2668	2616	cmd.exe	32
PID 2616 wrote to memory of 2668	2616	cmd.exe	32
PID 2616 wrote to memory of 2668	2616	cmd.exe	32
PID 2616 wrote to memory of 2668	2616	cmd.exe	32
PID 2616 wrote to memory of 2668	2616	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2668	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1404
- C:\Users\Admin\AppData\Local\Temp\2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\chkn_ssp64.dll",CreateProcessNotify
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259559018.bat" "C:\Users\Admin\AppData\Local\Temp\2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\2d12d5515398d39ff5964cfb2f0c4786_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Views/modifies file attributes
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Privilege Escalation

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259559018.bat

Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
\Windows\SysWOW64\chkn_ssp.dll

Filesize
68KB

MD5
5de8c753c5a55c5de9962fb9e514c27c

SHA1
cca4ccb47f63d981cfe73eee0eefc57408746ca3

SHA256
3c7695be8e54eea5e14a2217a9338a2b8be9a67c8a9108dc8515420aff9ed3b2

SHA512
6b2b84986b04316040c71814c7781cb788bd67a194027fafaeb66b939a86e31ca45b25ddcb11cf52faf8eda478f7f893c85a6b0e9b5970fd52823148465d423a

Download Submit
\Windows\System32\chkn_ssp64.dll

Filesize
75KB

MD5
18f07ee4843f39c9415cf97d42d2f05d

SHA1
efd7df3541af0a8488ecdd3e89eb8651a45decca

SHA256
10a4cf1a1b35b82df1de7b2e8b0c104357513f2cba5ef47c53c03fdf81bee402

SHA512
f3657770f5e08dfa09898e5b75cd65dc343256f51239c7e4fd025cc777da92eb75a9ca040acd41ca65b9b1b09d08e0b42719cb9272778a4d83720033d438ea89

Download Submit
memory/1404-28-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1404-36-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1404-52-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/1404-33-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/2528-43-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/2528-0-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2528-35-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2528-34-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/2528-1-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/2528-44-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2528-7-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2528-6-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2616-22-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2616-51-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2668-50-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2736-25-0x0000000180000000-0x0000000180019000-memory.dmp

Filesize
100KB

Download
memory/2736-14-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing