156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af

General

Target

3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
Size

3.3MB
MD5

3356aae4f5a2a83cb062e91f544fd3df
SHA1

d3e7b148cc7231cf2b99dbb53c95998169b1f831
SHA256

156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af
SHA512

2d56ddfbdd3e14f0e29831173d122cc6d5094d098f3d4e91ca0c2af388da22a441abe92a25977f9f859dde5d8076a38fc7877b56866a6fa5875bd63681f8e0e8
SSDEEP

12288:xrNogwflQWMw28nPi1Ken9UWDoUWtoOBFeBnJ8z490JWcm0:xrNoPflokn2KzWDHWtvc+Jy0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3884	explorer.exe
1344	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 3884 set thread context of 1344	3884	explorer.exe	82

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4596 wrote to memory of 4652	4596	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	80
PID 4652 wrote to memory of 3884	4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	81
PID 4652 wrote to memory of 3884	4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	81
PID 4652 wrote to memory of 3884	4652	3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe	81
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 3884 wrote to memory of 1344	3884	explorer.exe	82
PID 1344 wrote to memory of 2704	1344	explorer.exe	83
PID 1344 wrote to memory of 2704	1344	explorer.exe	83
PID 1344 wrote to memory of 2704	1344	explorer.exe	83

C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3356aae4f5a2a83cb062e91f544fd3df_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\explorer.exe" 1
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2051.bat"
        5⤵
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2051.bat

Filesize
182B

MD5
c9375e809e46ef6e908cbceb5525ffab

SHA1
f6fa24a05cfe0363d711cee6e6fc2658794fd8c2

SHA256
695331f595b1a83a600a7dca93d2396ea4e34a8f8e51f527a65ea2efd45315e7

SHA512
6e1dc9935f2e562e06bad113adb0f97e1005dcb361570b903289751547a58040e46aa1e6863a1cf27aeae35b31efcd337026a668486615b0ac096bb428111daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
3.3MB

MD5
3356aae4f5a2a83cb062e91f544fd3df

SHA1
d3e7b148cc7231cf2b99dbb53c95998169b1f831

SHA256
156f940afb79f0ae3a13c766d9e5aa2e40870db2421f4b245f49135dc7b0f0af

SHA512
2d56ddfbdd3e14f0e29831173d122cc6d5094d098f3d4e91ca0c2af388da22a441abe92a25977f9f859dde5d8076a38fc7877b56866a6fa5875bd63681f8e0e8

Download Submit
memory/1344-12-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1344-14-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1344-13-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1344-18-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1344-19-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1344-22-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4652-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4652-2-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4652-3-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4652-17-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download

Analysis

Sharing