ac9c49345037928dbff133e3fffc52f4a6a090f7d4e02825549ed6df621ad074

General

Target

3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Size

60KB
MD5

3a5fcb6c6500140fd2be9b603a5b25bf
SHA1

fd905798f5e0f4d9c3dcb74e7d595d93c4e21ddf
SHA256

ac9c49345037928dbff133e3fffc52f4a6a090f7d4e02825549ed6df621ad074
SHA512

21d0ccbc4080c0536d8f7b7f469f5181b6699cd4c19bcbb6f471ff1c034a17b8be345e28bd457959dae9928736a17e536124762b708b7df2e1f45616031b7200
SSDEEP

768:VWu3YUFlLUyNuDcg4yHCN+e/KYIEnIOX4fQGW8B0eaVAy+0ZEqhlNC+NPKwV9O+B:FldNuDXHC1iZExj8BLy/ZDhlw+sYQ+B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2292	3EAOWHLH.exe
2756	TNL29H.com
2060	TNL29H.com
2792	3D7IKFDYYM.exe

Loads dropped DLL 4 IoCs

pid	Process
2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3EAOWHLH.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TNL29H.com	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TNL29H.com	TNL29H.com
File created	C:\Windows\SysWOW64\3D7IKFDYYM.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3D7IKFDYYM.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\12528438.txt	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\12528438.txt	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TNL29H.com	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GN3PPB6B2P.txt	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\3EAOWHLH.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3EAOWHLH.exe	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2792	3D7IKFDYYM.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
2292	3EAOWHLH.exe
2292	3EAOWHLH.exe
2292	3EAOWHLH.exe
2292	3EAOWHLH.exe
2292	3EAOWHLH.exe
2756	TNL29H.com
2060	TNL29H.com
2060	TNL29H.com
2060	TNL29H.com
2060	TNL29H.com
2792	3D7IKFDYYM.exe
2792	3D7IKFDYYM.exe
2060	TNL29H.com

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 664	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	29
PID 2388 wrote to memory of 664	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	29
PID 2388 wrote to memory of 664	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	29
PID 2388 wrote to memory of 664	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2292	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2292	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2292	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2292	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2060	2756	TNL29H.com	33
PID 2756 wrote to memory of 2060	2756	TNL29H.com	33
PID 2756 wrote to memory of 2060	2756	TNL29H.com	33
PID 2756 wrote to memory of 2060	2756	TNL29H.com	33
PID 2388 wrote to memory of 2792	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	34
PID 2388 wrote to memory of 2792	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	34
PID 2388 wrote to memory of 2792	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	34
PID 2388 wrote to memory of 2792	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	34
PID 2388 wrote to memory of 2680	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	35
PID 2388 wrote to memory of 2680	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	35
PID 2388 wrote to memory of 2680	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	35
PID 2388 wrote to memory of 2680	2388	3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe	35
PID 2792 wrote to memory of 2884	2792	3D7IKFDYYM.exe	36
PID 2792 wrote to memory of 2884	2792	3D7IKFDYYM.exe	36
PID 2792 wrote to memory of 2884	2792	3D7IKFDYYM.exe	36
PID 2792 wrote to memory of 2884	2792	3D7IKFDYYM.exe	36

C:\Users\Admin\AppData\Local\Temp\3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a5fcb6c6500140fd2be9b603a5b25bf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\3EAOWHLHP.bat
  2⤵
  PID:664
- C:\Windows\SysWOW64\3EAOWHLH.exe
  C:\Windows\system32\3EAOWHLH.exe
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Windows\SysWOW64\3D7IKFDYYM.exe
  "C:\Windows\system32\3D7IKFDYYM.exe" -jscript
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\3D7IKF~1.EXE > nul
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3A5FCB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

C:\Windows\SysWOW64\TNL29H.com
C:\Windows\SysWOW64\TNL29H.com -kLocalService
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\TNL29H.com
  C:\Windows\SysWOW64\TNL29H.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3EAOWHLHP.bat

Filesize
1KB

MD5
8549e6ce1583a7f67bff74d0d6faae96

SHA1
8d80a1cec994f3e7f7b02cf01100f7912dbde9d8

SHA256
c6cede90d0c54a3bdd952d90bc11e838d852458bc0a9459cefb17078bec77334

SHA512
74931d4097714ed353fe650c2cbacec33b89ce27d9f33030728dc3a7c7f15bfa6c361b9f896ffad936687407ae89712606181d91b90cfe72f85382019092e90f

Download Submit
C:\Windows\SysWOW64\12528438.txt

Filesize
35B

MD5
147ce5c8e8ed68c9c10b136897cefd9b

SHA1
128d5c695c2e5196b0276e54a46a7a0df877ff53

SHA256
a6ecbd9dc67e433359a1d0b2e4a3cf1d610d857322c61c864f9cc239bbe68f5e

SHA512
be75332068dc34536916f6c6a0e0efa7ea999e5426b81f5a0a839769269586e2dfcf00867cf7e7b1b07e14105a1b4fc1193274ce6cdb0750f5f967af1b454e6a

Download Submit
\Windows\SysWOW64\3D7IKFDYYM.exe

Filesize
24KB

MD5
72acc2edb98f5ab3e1b23e8f19f71de0

SHA1
5196ef0f8f0757068d525b729537afe9dc64a53f

SHA256
119b12d33a466f3085c4280987355c636e7250073a263cd2e82312fd5282d66b

SHA512
92edd41d986d97de49e115d15e3e5827e5ec741c190b7cefe21c887e102a139d4078357d8454b2bb8ff119e6ad50a1b5154f6795e6112ab804a1724c2c17839c

Download Submit
\Windows\SysWOW64\3EAOWHLH.exe

Filesize
44KB

MD5
677b2627cf1131549e18893b1d9d4374

SHA1
47542beb77b5a153d201553d1acd90da592c1d58

SHA256
7bc93272147d647ec80c9cc1da44734d4fb2f0d29d15f53f42cf113cf65c6b89

SHA512
88a95eec90ac26f7941ff36f75815a959b7faaddb65a624fe27dea48885e1db4a7842d990095a835dc392cc02581762c15de12b024c2f608679977c31855c4f6

Download Submit

Analysis

Sharing