964c3f3dfb1f05cf4a21a34e951a7b44caa968bb14bf5168ef12d6b184411c1d

General

Target

3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe
Size

14KB
MD5

3ff19166bc94bbfd22757c747b06e649
SHA1

a8d883bfd4eb146f070ece390f325c7327d4723d
SHA256

964c3f3dfb1f05cf4a21a34e951a7b44caa968bb14bf5168ef12d6b184411c1d
SHA512

821bc1527a398877d59ff27ab0e2839b82681c9d7bc7ba875f8167b814bd02a98b04f279966c3f88b93f99c8a02e908b7e01ed5305f1ed3d52e47a55fa7f38e1
SSDEEP

192:OLz7qThUF1meonxgssqVUWIFBzaChowRZ5IggoMR2ILCGSNqrGw3KwYWVMXlcrw:O/chbeoxgRomFx2wXGggoMRRsoGQtY1

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1276	lenowosk.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe
2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x002b000000018eb2-3.dat	upx
behavioral1/memory/2488-12-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1276-13-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lenowos.dll	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lenowosk.exe	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lenowosk.exe	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1276	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1276	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1276	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1276	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	28
PID 2488 wrote to memory of 2912	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2912	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2912	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	29
PID 2488 wrote to memory of 2912	2488	3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\lenowosk.exe
  C:\Windows\system32\lenowosk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

2

T1546

Accessibility Features

1

T1546.008

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

2

T1546

Accessibility Features

1

T1546.008

AppInit DLLs

1

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ff19166bc94bbfd22757c747b06e649_JaffaCakes118.exe.bat

Filesize
210B

MD5
b645ebd478e8357faed059d413e1ef13

SHA1
539f546904f7d9cef0de9d5e8b9c80945d5cb94b

SHA256
7154aa388442f7eb263ca20d6c9cfb36a1934a8e2232521a698aa0c0d1ffef4a

SHA512
2118184d2b9804eff3d0e20c0515405be5009f4f785607945aaf8d64ec90c025baaf94613f7f793a0b4cba8472f87fd693002d10b6c57f5d94feebd92273e46f

Download Submit
\Windows\SysWOW64\lenowosk.exe

Filesize
14KB

MD5
3ff19166bc94bbfd22757c747b06e649

SHA1
a8d883bfd4eb146f070ece390f325c7327d4723d

SHA256
964c3f3dfb1f05cf4a21a34e951a7b44caa968bb14bf5168ef12d6b184411c1d

SHA512
821bc1527a398877d59ff27ab0e2839b82681c9d7bc7ba875f8167b814bd02a98b04f279966c3f88b93f99c8a02e908b7e01ed5305f1ed3d52e47a55fa7f38e1

Download Submit
memory/1276-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2488-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2488-10-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2488-9-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2488-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2488-14-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2488-17-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing