6f373a7297a95aa16c4cfd71246b6654d514a985fd3e2dfb2bb71b988cea4b53

General

Target

2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Size

130KB
MD5

2e5bba0acc91e34c1a73aa27360cd95c
SHA1

ff0104b4b17be883108eadf76b8629eafbc7a604
SHA256

6f373a7297a95aa16c4cfd71246b6654d514a985fd3e2dfb2bb71b988cea4b53
SHA512

b98956f7cd30d7da720a8fa59b8baa9c671838426b84b34f85802211da26c4dd89abc9a9aaf4509844a9e8605494ce8507f812370e1136ea31d678d40d1e9b70
SSDEEP

3072:F/5TRrRQh2vlrtUwAKvynMkYbaMtZFskVH4p:F/lxW2vlBG6kYbn/

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeBackupPrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
Token: SeRestorePrivilege	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 3544	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe	82
PID 4020 wrote to memory of 3544	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe	82
PID 4020 wrote to memory of 3544	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe	82
PID 4020 wrote to memory of 4356	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe	87
PID 4020 wrote to memory of 4356	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe	87
PID 4020 wrote to memory of 4356	4020	2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e5bba0acc91e34c1a73aa27360cd95c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:3544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
dccc514e635c1669c2d30b6c1a3c66aa

SHA1
d040cb16427a421f73a696db4922dafcd5aef59a

SHA256
ef7c3100284c53bd53f56348156360a06b22c30dec586727b9c8087f30bade2d

SHA512
c3bf049aaf7ad0859ce502acdc48e90045d37427c2634b844385fc0c1d34b9d6f10190aba638438f5714b916d855f0cab8907e77c6aa9525c8b6d8b2a6cd52fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
62B

MD5
3cd72266d36b15d25f3d13498c147cf5

SHA1
a73de434273407079c50506663f5ff3a88598fb3

SHA256
55adff3f51479fc283bef41f8011170d0d3b15a3f92f49d41d53fcdaebc5d565

SHA512
17370bff47ba5296771af321a1f17a7527580b1fc5f89a0d5e08d0b3027f5a35a06af795a1518fee15bb2837ec3c045d9e90350a23eca8855b04e2b2245c6f0d

Download Submit
C:\Windows\Help\B41346EFA848.dll

Filesize
117KB

MD5
1e92cc090bcd266e390a736ee9dbd966

SHA1
1086f579d56f876c7d87eabe193a60dbdc2e3368

SHA256
4c017e11affaab8534bd8edca4cabd5ee802494d364741906476a5c8a3b00e4e

SHA512
8165ad35ceb560e3a61be89ee1a673f360f12e447b658f26a14b48de7576a8b056d798b3082ee85c051b5f78320e15919fbcfa7fd3a0a50d2d1da86edac8fa8d

Download Submit
memory/4020-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-1-0x000000000042E000-0x000000000042F000-memory.dmp

Filesize
4KB

Download
memory/4020-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-15-0x0000000002190000-0x00000000021E0000-memory.dmp

Filesize
320KB

Download
memory/4020-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-19-0x000000000042E000-0x000000000042F000-memory.dmp

Filesize
4KB

Download
memory/4020-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-23-0x0000000002190000-0x00000000021E0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing