8ba7c0339ddaee9806d54e193c92d03a114fd047c07db9891d27a087bb044689

General

Target

3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
Size

422KB
MD5

3c1b1b0997b7708df9dfc922705e27ea
SHA1

de2ebe17bbd513b34112c1f54383dcd7bff65f3d
SHA256

8ba7c0339ddaee9806d54e193c92d03a114fd047c07db9891d27a087bb044689
SHA512

4411c66b7cad2d06a0be522b737f0d07e95abb17d1d0db168b46aabf300e35350d1de27355f7cbbef5ae5d07be8e0c4bc1d269ba9f77e0b2c74f8f448ba20937
SSDEEP

6144:tl9rOIhjI3Y3by83TdTcQDRcvxCcZXR5sPEHix0IbBBwNt59p0:N99HDTsnsPEHix0II

Score

6^/10

evasion persistence trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2388	cmd.exe
2688	powercfg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
2112	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2688	powercfg.exe
Token: SeDebugPrivilege	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
Token: SeDebugPrivilege	2112	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2388	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2388	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2388	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2688	2388	cmd.exe	33
PID 2388 wrote to memory of 2688	2388	cmd.exe	33
PID 2388 wrote to memory of 2688	2388	cmd.exe	33
PID 2540 wrote to memory of 1964	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	34
PID 2540 wrote to memory of 1964	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	34
PID 2540 wrote to memory of 1964	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	34
PID 1964 wrote to memory of 2152	1964	cmd.exe	36
PID 1964 wrote to memory of 2152	1964	cmd.exe	36
PID 1964 wrote to memory of 2152	1964	cmd.exe	36
PID 2540 wrote to memory of 1164	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	37
PID 2540 wrote to memory of 1164	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	37
PID 2540 wrote to memory of 1164	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	37
PID 1164 wrote to memory of 2476	1164	cmd.exe	39
PID 1164 wrote to memory of 2476	1164	cmd.exe	39
PID 1164 wrote to memory of 2476	1164	cmd.exe	39
PID 2540 wrote to memory of 2112	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	40
PID 2540 wrote to memory of 2112	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	40
PID 2540 wrote to memory of 2112	2540	3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c1b1b0997b7708df9dfc922705e27ea_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\cmd.exe
  "cmd" /c powercfg -l
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\powercfg.exe
    powercfg -l
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\system32\cmd.exe
  "cmd" /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  "cmd" /c fsutil behavior query DisableDeleteNotify
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\fsutil.exe
    fsutil behavior query DisableDeleteNotify
    3⤵
    PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" (get-appxpackage -allusers).name
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

1

T1653

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-9-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2112-10-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2540-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x00000000003B0000-0x0000000000420000-memory.dmp

Filesize
448KB

Download
memory/2540-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-4-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-3-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-11-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2540-12-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing