1487b6a73a4a3e55e77383f60f91b08d10f52169a7115bff872cb15a07ad1a1e

General

Target

3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Size

650KB
MD5

3d3a042efca1ab99103aa1978ee8e2c5
SHA1

fadd1bf4cb627a49643c8be15dcd57ff368ecc47
SHA256

1487b6a73a4a3e55e77383f60f91b08d10f52169a7115bff872cb15a07ad1a1e
SHA512

046cf5680cfea150d6792f57684552c30bc5f2b54d44a07e17aa84bf05e6f85c92c598ba995ecadf4248a2e3d5db721cf363af006a8a8ea8187e3044a595cf75
SSDEEP

12288:UsAL/W5L/SZdSCvTF+bDTqXTGanh/y+50vOoU3BoYDI85h45fnY:UsW/WNSZ8CLGETGaFZMOJ3BoYk1VnY

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA851CE-8B9A-11D5-EBA1-F78EEEEEE983}	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA851CE-8B9A-11D5-EBA1-F78EEEEEE983}\StubPath = "mssqg32.exe"	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCL = "vcl32.exe"	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mssqg32.exe	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mssqg32.exe	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\concp32.exe	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\concp32.exe	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vcl32.exe	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\vcl32.exe	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4288	4784	WerFault.exe	82

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\concp32.exe \"%1\" %*"	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEA851CE-8B9A-11D5-EBA1-F78EEEEEE983}	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEA851CE-8B9A-11D5-EBA1-F78EEEEEE983}\InprocServer32	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEA851CE-8B9A-11D5-EBA1-F78EEEEEE983}\sm = 01b8ec350471bd332433eee476ebe1f3	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AEA851CE-8B9A-11D5-EBA1-F78EEEEEE983}\ax = 54b20dd774c75124cb08e8198f9fe49f	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4784	3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d3a042efca1ab99103aa1978ee8e2c5_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 736
  2⤵
  - Program crash
  PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\concp32.exe

Filesize
651KB

MD5
fc4acd532c016e6b90937bcbca5f2df2

SHA1
2a2ebf174e2ac0adc590bfe043d4dc21c28fed40

SHA256
3900ef47dc518903be41d5771e715223807d364fb09f1e7297d7077d97304308

SHA512
783c2f4a9279ee44da7322afbf83a1eda711f904f5ad694a770c79ff3d592144a7c1790f2c39a35e0b76b799bbd2162870f681f85082589e7f2f6e9480a24aad

Download Submit
memory/4784-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4784-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads