1bfecd956edf85412a0e7b3a38a29a55960da52f3b8a84b2477b670de755784c

General

Target

347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Size

193KB
MD5

347514c3fc633e1f01c7cc941fad26fa
SHA1

27f41803c21809097f7d60c2d47a373af44c2df6
SHA256

1bfecd956edf85412a0e7b3a38a29a55960da52f3b8a84b2477b670de755784c
SHA512

4438e2ad069025b79ce4a847f04961d19780f600d8247176d02beaffb1fb42178f839a968295924aeb9a4212c482e4c64ea35259d9c4f7cd55cac233113a35a4
SSDEEP

6144:52c9Y0Bw3O85ixxumSiG+Nxm5/1DPwFhPSP:Ec9Y0B8O8wxYBoq/NojSP

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\EB6C4499B05F.dll	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeBackupPrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2796	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2796	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2796	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2796	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2120	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2120	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2120	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2120	2692	347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\347514c3fc633e1f01c7cc941fad26fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
084391877619ba70f8c0c32a284e2860

SHA1
7d3c1227a9fd8acb763049142443152a4f9748bb

SHA256
11aded5764c570597c697f3f655f9a80420268cbf01876b8a937a54b4f640aa4

SHA512
712bc4715602fa460905ad16b02ca3af20db3a5f7132356d6753f947bddd607305350ccf26c7899f2e158a8d5963805eff1a9574d0ca58336605977d43c8a2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
1b7baeb128f11d70a51ee5452e523c2a

SHA1
6c161f13a825ea67638d3191095745d8fa8a9761

SHA256
8f3340c3bb8b1ad6ab31bc03c4a7a0b4df09ade20ec5d529d930a17a8ba159c3

SHA512
a1ecbc820258e4b7e0d23b1980d38104649351a77a6925711e86c8cd5d53491626d927afa4a4826a9b47996b93cfc0b79f73427c4ada746020293b4fe3ce3100

Download Submit
\Windows\Help\EB6C4499B05F.dll

Filesize
132KB

MD5
da29e67a79b185913945dd8cf40f22f1

SHA1
6cfd2701dd1e11a2efa2a37b060cacc185576507

SHA256
1b89fd9f273158ea92ec727b3d7492c007746dd55f2a9024955ecff67b8bfd27

SHA512
00b4258022199a1facfa4a6aa6aea910259c6adb9f968126b7a9243925f5023b8ae7579b6ec3a292238f882b52a9748a8b2125ce132eb958e0fa0758a107d5db

Download Submit
memory/2692-7-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2692-23-0x00000000002A4000-0x00000000002C5000-memory.dmp

Filesize
132KB

Download
memory/2692-22-0x0000000000270000-0x00000000002C6000-memory.dmp

Filesize
344KB

Download
memory/2692-21-0x0000000000270000-0x00000000002C6000-memory.dmp

Filesize
344KB

Download
memory/2692-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2692-25-0x0000000000270000-0x00000000002C6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing