0533b9330a60da8c7f8de8587ce3437d6b0f34c17c089bffe730d8e828279c80

General

Target

3285450677e921b1b266bae9f1454838_JaffaCakes118.exe
Size

133KB
MD5

3285450677e921b1b266bae9f1454838
SHA1

3770f2bda71a6e46b87b0d97f3dadc0726b741b8
SHA256

0533b9330a60da8c7f8de8587ce3437d6b0f34c17c089bffe730d8e828279c80
SHA512

a9cbf292510f2cff9ee280aa7dc7a4b6c52d90be7f12c8751027663d7dbc1d9ce7fb520272a0d24b840d56c2e38c18cce6fee94b4adbbdf2e1fce9396086abcd
SSDEEP

3072:3gYRvksstTEq4Fn5f6J/cRLcfdcDjpg1P5SQRzI:3gAOt4q4l5f4cRofGB0gQFI

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	2108	rundll32.exe
5	2108	rundll32.exe
6	2108	rundll32.exe
7	2108	rundll32.exe
8	1920	rundll32.exe
9	1920	rundll32.exe
10	1920	rundll32.exe
11	1920	rundll32.exe

Loads dropped DLL 6 IoCs

pid	Process
2108	rundll32.exe
2108	rundll32.exe
2108	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000010000-0x000000000004B000-memory.dmp	upx
behavioral1/memory/3016-3-0x0000000000010000-0x000000000004B000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\inf\machinez.inf	rundll32.exe
File opened for modification	C:\Windows\inf\machinez.inf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 3016 wrote to memory of 2108	3016	3285450677e921b1b266bae9f1454838_JaffaCakes118.exe	29
PID 2108 wrote to memory of 1284	2108	rundll32.exe	30
PID 2108 wrote to memory of 1284	2108	rundll32.exe	30
PID 2108 wrote to memory of 1284	2108	rundll32.exe	30
PID 2108 wrote to memory of 1284	2108	rundll32.exe	30
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31
PID 1284 wrote to memory of 1920	1284	RunDll32.exe	31

C:\Users\Admin\AppData\Local\Temp\3285450677e921b1b266bae9f1454838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3285450677e921b1b266bae9f1454838_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysTem32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl"
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Drops file in Windows directory
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\strFileDestVar1.cpl

Filesize
72KB

MD5
b9fdc50bfc219a4e4eae9d0cc464acf7

SHA1
e77baea28ff4b791e129426ddf9874c26c9324be

SHA256
f4972961a1b003bf9d874cf29db74747f003e97aefc1999828bfe182448d67fb

SHA512
7aa253019930edba40eb6d8f83733fbdee85b29d9cc968228d2bbcf917e6c97b0ea4afd3d15f0a7c8e2fce462f7a04c175ae79b914690841dfe255969675a379

Download Submit
C:\Windows\inf\machinez.inf

Filesize
208B

MD5
e1fd385ea4c18cff43847a0c01e56529

SHA1
f832bb31b59c2cab0be61f01c92c9d319790cbf5

SHA256
93e394ab51ce15254b360f4400e539c90464914761f8f116b2365860dffbd784

SHA512
7ad6b80ceeae3526c6344d0e18717055257556ba85bab024dd9adf1ad6ded06930244ee7b0be738df72b6f61203ba05034b3cf4c4bb08563aa5af9912ef04835

Download Submit
memory/1920-23-0x0000000000240000-0x000000000028D000-memory.dmp

Filesize
308KB

Download
memory/1920-26-0x0000000000240000-0x000000000028D000-memory.dmp

Filesize
308KB

Download
memory/1920-27-0x0000000000240000-0x000000000028D000-memory.dmp

Filesize
308KB

Download
memory/2108-8-0x0000000000870000-0x00000000008BD000-memory.dmp

Filesize
308KB

Download
memory/2108-9-0x0000000000870000-0x00000000008BD000-memory.dmp

Filesize
308KB

Download
memory/2108-10-0x00000000008A2000-0x00000000008B4000-memory.dmp

Filesize
72KB

Download
memory/2108-12-0x0000000000870000-0x00000000008BD000-memory.dmp

Filesize
308KB

Download
memory/3016-0-0x0000000000010000-0x000000000004B000-memory.dmp

Filesize
236KB

Download
memory/3016-3-0x0000000000010000-0x000000000004B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing