dc0af5e12889c1e9088fb7b939f4e674abafdd1c0a690dc3eff638e764cab9ca

General

Target

385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Size

411KB
MD5

385f90ff96be269a3e742835ace47a94
SHA1

b4e818a749e8a973ed86af43c5ea96d8b2b3ce56
SHA256

dc0af5e12889c1e9088fb7b939f4e674abafdd1c0a690dc3eff638e764cab9ca
SHA512

b7354bb46c9ed450f23b89dbe25ff4081ab9ef14a96b3c2f8d8ff117c3869eec2ca3703cdacb6cb4f85ee699f0885816afd280b6cdb2a954efa31bc522c5fe1c
SSDEEP

6144:e2h3vHpW/KNGX+RtF2idZecnl20lHRxp3gAncduD7yB9VCO6Sco4q8+dE6Cqh:9oW8sF3Z4mxxjDqVTVOCh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinDir = "{bfbc1a78-cddd-1672-876e-324d6c4686e9}"	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NTboot.log	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NTboot.exe	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NTboot.exe	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NTboot32.dll	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32\ = "NTboot32.dll"	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{bfbc1a78-cddd-1672-876e-324d6c4686e9}\InProcServer32\ThreadingModel = "Apartment"	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2176	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2176	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2176	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2176	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2176	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2176	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2704	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2704	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2704	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	31
PID 3068 wrote to memory of 2704	3068	385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\385f90ff96be269a3e742835ace47a94_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\385F90~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NTboot.log

Filesize
244B

MD5
306c7104dd28eac94ff3e4b47bc5e85f

SHA1
a75e4c2cb84a60c48fe2067b9225d0cffca2450b

SHA256
7af6f18882115b3b7ebfb37434655b807801ed311893bb764a941076553904cd

SHA512
4ee5ab6895396f96d71705a19b9c263ed8ed2cfb4d534db7b20cc3cc14fd15f910cc04d475747bf3300c4260d14fe974acd1d6207654b1758ce92e0dbe8b2a5b

Download Submit
\Windows\SysWOW64\NTboot32.dll

Filesize
132KB

MD5
74b91ecf650a1f6b3454015c32a5c38d

SHA1
980074c212eebb200b1e98494ec704324bd3e964

SHA256
84e631534e6c48feffa39fb250eb0c3781db599e590661a1fc560db9d9002034

SHA512
9975183aa0ea81cde42d3632da91ed61cfd13f1435436f52586ca774844764afa445ee6acbfe2777490f233b72ce09aea7c32882e9d4c9f6488adc652260c30b

Download Submit
memory/3068-9-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3068-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3068-8-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3068-7-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3068-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3068-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3068-2-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/3068-32-0x0000000000310000-0x0000000000364000-memory.dmp

Filesize
336KB

Download
memory/3068-31-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads