5d7f38eb4e6fe1e7eb4e60180ceed24d98e52e761ae52e5e524801b3999c9790

General

Target

3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe
Size

74KB
MD5

3f3fd650682d1b8e209c39552582cec2
SHA1

11c4c1ce4bb59542ec635939ab5d91efd6818d8c
SHA256

5d7f38eb4e6fe1e7eb4e60180ceed24d98e52e761ae52e5e524801b3999c9790
SHA512

f4f36d7ad946e61c737ebb9f0c63e56f1223cdf4fe14287b06ddb6b0b2fc98a8cdaa7965c4e2d4bb5a1da2257afa829ebd7fdfbb32224b5a79f82f9c60ff6919
SSDEEP

768:9+Nm1a2FmLZuLFU/r6aqpHk5PmQnFgovom4at99lfO1Qtw/qsqcm9/p8kAn45:99YULFU/rVKCKovomN0QGiFcmc4

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys 3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll"	3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

Processes:

3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exesvchost.exe

pid process

4400 3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe
3652 svchost.exe

pid	process
4400	3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe
3652	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll	3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\system.dll	svchost.exe
File opened for modification	C:\Windows\SysWOW64\system.dll	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\system\config.dat	3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe
File opened for modification	C:\Windows\system\config.dat	3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

3652 svchost.exe
3652 svchost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
3652	svchost.exe
3652	svchost.exe

pid	process
652

C:\Users\Admin\AppData\Local\Temp\3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f3fd650682d1b8e209c39552582cec2_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
PID:4400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.tmp

Filesize
40KB

MD5
760813019fcdcee030914b2f381d537c

SHA1
d2ab1639cf9245a8b943111cb1ac0a9c447041d0

SHA256
b85538fde5f9fb93fc5a3067161cd954922fcbbba95bc01c7236583dea485765

SHA512
3947b40f74707fddf41a4afa00e0f22a3a95da57610ecfd3008cd5c19278e3a38144dcb72706ac114e3ecca76ef0ef85f4938e8d10cdeee4a157781ec6aa634d

Download Submit
C:\Windows\SysWOW64\system.dll

Filesize
1KB

MD5
433b3da7035a9d44820e7b29e3ac5307

SHA1
697a8b33cec5d04bfc5425c61fececf706de85f2

SHA256
1cc40260cb531835adc07b312846a66322627459b405f9434a3221c70fecae61

SHA512
5a6f578d70c8d5d0eedf5153696d4dd940952607bce1f853c5e41bfe1cebd105d6acde8f9a5f8539695128446d9b10fd18819bb9a9d741237fea046dfb74e8e6

Download Submit
C:\Windows\SysWOW64\system.dll

Filesize
890B

MD5
a6d894a8957d6b6acc31839a4d9cc1dc

SHA1
71ef3c434c63039fdc4d2b88303005a5a284fece

SHA256
8992e2e384d311fd2f03a86f5c4951012436d08f0ddd839d38a9a534c6ba66a6

SHA512
932bfab19167b54b08949226fe31b02a02259baa65834cc56816138e0cc2e2fe4201816c785e179e2aa97d435b03971bc7527a8df91a65ba9fd15d59829910d2

Download Submit
C:\Windows\SysWOW64\system.dll

Filesize
926B

MD5
58c5e5586a5f57cf657c8e96fe7d9a9f

SHA1
268de8209b66d62eac8c89d8a3c828e8c805dcd2

SHA256
83d6bfc07b2027b11d69089f96bfbb1f8721240db7a2487cdd7b0e4831804606

SHA512
1bf0ae34ed1956718f76dbda650613589f217beb0743ef74d748dc5662eb2e6e94591f79b5dde28353744978d22e5a51a97526900eae86512a62d025f302a19b

Download Submit
C:\Windows\SysWOW64\system.dll

Filesize
1KB

MD5
0b8fcdf1fa41b8cb50d5d8d8ba30a614

SHA1
b94311691a05551cf33604f56b5d915e6911fd45

SHA256
a92f38b70c73cdc2ae4683eb844564a1931b72d9410c3c7c6e2925089b7e1aef

SHA512
039f58089726aeb2b404aecc1eac8b7f7619cd3fea2e4f076e15bcf0b65ec70e17e408aa370c423bde984e715b7f666290d24e41e27c2d1ff2bfb967d2d1c2e6

Download Submit
C:\Windows\SysWOW64\system.dll

Filesize
1KB

MD5
28cc60e33378b2cc04503254147f30da

SHA1
4e31559b9292966b890372334de8405b815f1945

SHA256
a983a89bf415c4e0358c5db353299feae018cd3f4a50a26f46b72b08c98314a2

SHA512
c033dc1f58dcd0187379fad449d654ec562b11e0e89fc8a3a0773fef65dd0ba050fc19421ab3b59dcaede79567e705630ecca335fc1a6c10831cf99316163210

Download Submit
C:\Windows\system\config.dat

Filesize
132B

MD5
74689d1d65459df83bbbe6a23bba589c

SHA1
db3175cf61fa6e8428cb699173a450e097e8f848

SHA256
a6d765884e231d4ec4fe404355e43d5ab6537e139398871150607e7d8b565fc9

SHA512
51182ba8af6bc47175880ffc556ecddfffdd2f48f4cf85b26decae6e073024fc0831c3d504a583412269db19f5599cb5a6c293eff917bf3f32f71fb23cbea652

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads