06b935f8710775424e7c9a82e202012ba15df02f35809e3c07eec30ba8f0906a

General

Target

3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Size

534KB
MD5

3acd3beebaad8b7d1648347f03f6f2ef
SHA1

163befe5a4f18478dc2baf76d04546fc78a08621
SHA256

06b935f8710775424e7c9a82e202012ba15df02f35809e3c07eec30ba8f0906a
SHA512

0d15299e371c1d719930a311cb5660f6f7cfc26c904c41b5df65ff9f365afbbdf5c8e09e9edb2dd1bb5f51f6b5e9992ba7fbb50e132674c91dacb5e78b53ec75
SSDEEP

12288:UsAL/W5L/SZdSCvTF+bDTqXTa7v5ougtHEg/7Q4hvayCRw/R:UsW/WNSZ8CLGETEjgXs4hIe

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8EAA5E8-8B9A-11D5-EBA1-F78EEEEEE983}	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8EAA5E8-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "msfbs32.exe"	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\concp32.exe	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vcl32.exe	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msfbs32.exe	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msfbs32.exe	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2504	2268	WerFault.exe	82

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8EAA5E8-8B9A-11D5-EBA1-F78EEEEEE983}	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8EAA5E8-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8EAA5E8-8B9A-11D5-EBA1-F78EEEEEE983}\sm = ebb5525fa3bcf9422c8ff945977d6af9	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8EAA5E8-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 45e85de9912bab02a9089077d44268e2	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2268	3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3acd3beebaad8b7d1648347f03f6f2ef_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 744
  2⤵
  - Program crash
  PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2268 -ip 2268
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
543KB

MD5
98277f86be24178ee8b90fa821ee7a75

SHA1
90a08c9ffeeac63e4a9e0c2330d7f369ec547a1f

SHA256
24c05af1b7e6abc7ea81e0ed0677a0937ad3aea9112ee1cf0b83d13f9d2381cc

SHA512
8e9c0994cb40ea66c00c31dd31e17565406a10d7d9ca84a23b8cabb79e15e08c21b478c99f3995013282f74d80c6b966df3649e292e79b7e5c541324f43e73a6

Download Submit
memory/2268-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads