8de8c9d27370f2feb0f1adee429080ef7216ddf6ce0dcfada15e394f01893c80

General

Target

457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe
Size

226KB
MD5

457d857e241925d7904b7c459d0f43db
SHA1

ba4e3eff0507092fb0e1ec9d1fec74dd528f3f68
SHA256

8de8c9d27370f2feb0f1adee429080ef7216ddf6ce0dcfada15e394f01893c80
SHA512

aaa93bb34fe7fe4353dd2ae3c25cdb75a5899e646e0772363f2bfa81797048a654676f482663e3f1a6f13360b3a549fab3fc489369beeb7b5af4e486c6d0dd19
SSDEEP

6144:+szspeDEJ/7mX7wYGJg8vFDpSHRuqO4Ji33dqoKfg3c:+sIpeGiLRm1uu9y63d7Ko3c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2296	leass.exe
2868	rav.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cao = "C:\\laess.exe"	rav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rav.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\config.dat	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe
File created	C:\Windows\zzz.bmp	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe
File created	C:\Windows\kkk.bmp	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe
File created	C:\Windows\renw.bmp	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2296	leass.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2868	rav.exe
Token: SeRestorePrivilege	2868	rav.exe
Token: SeRestorePrivilege	2868	rav.exe
Token: SeRestorePrivilege	2868	rav.exe
Token: SeRestorePrivilege	2868	rav.exe
Token: SeRestorePrivilege	2868	rav.exe
Token: SeRestorePrivilege	2868	rav.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2296	2552	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe	31
PID 2552 wrote to memory of 2296	2552	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe	31
PID 2552 wrote to memory of 2296	2552	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe	31
PID 2552 wrote to memory of 2296	2552	457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe	31
PID 2296 wrote to memory of 2324	2296	leass.exe	32
PID 2296 wrote to memory of 2324	2296	leass.exe	32
PID 2296 wrote to memory of 2324	2296	leass.exe	32
PID 2296 wrote to memory of 2324	2296	leass.exe	32
PID 2324 wrote to memory of 2868	2324	cmd.exe	34
PID 2324 wrote to memory of 2868	2324	cmd.exe	34
PID 2324 wrote to memory of 2868	2324	cmd.exe	34
PID 2324 wrote to memory of 2868	2324	cmd.exe	34
PID 2868 wrote to memory of 2480	2868	rav.exe	35
PID 2868 wrote to memory of 2480	2868	rav.exe	35
PID 2868 wrote to memory of 2480	2868	rav.exe	35
PID 2868 wrote to memory of 2480	2868	rav.exe	35
PID 2480 wrote to memory of 2616	2480	runonce.exe	36
PID 2480 wrote to memory of 2616	2480	runonce.exe	36
PID 2480 wrote to memory of 2616	2480	runonce.exe	36
PID 2480 wrote to memory of 2616	2480	runonce.exe	36

C:\Users\Admin\AppData\Local\Temp\457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\457d857e241925d7904b7c459d0f43db_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\leass.exe
  "C:\leass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\call.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\rav.exe
      C:\rav.exe setupapi,InstallHinfSection DefaultInstall 128 C:\inst.inf
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\config.dat

Filesize
606B

MD5
00739a6827e6d627d194f68df02998bb

SHA1
0df983a86596e725c5841566c68d2814927f0c12

SHA256
04f6f48b6ba9ed8d5016ce4f4714deb2685558ee27bcea97a315ac302eea81fe

SHA512
f7098c74b7cff52babc174fd1306eb883eca006b994f9d365365ff1351798b8eddf209c5be54a85644535d3cd458ca5deeaf229ad2100236ad705be91c177939

Download Submit
C:\call.bat

Filesize
74B

MD5
eaa9178ae2a166adc0bb185c3e021f2a

SHA1
409cae2f9c9725b7a06ca040a7354abd50029447

SHA256
c2f242c8ed90f0e34b0d4acb1f03faaacc8521ff9137c5f5702b48da8374636e

SHA512
75766faafbf9af4090ee18e86d9eb59f1dda52141577f8b14a6770d15415d069f9529dcf4e04cb956b7f5db58707e160b93ddfff40bb9c5d1a9308d870137834

Download Submit
C:\inst.inf

Filesize
145B

MD5
e181cbfd331eae187684431d6eb0d3c2

SHA1
b52dc27c0ccfec41d8896dfd9d40719d53c04def

SHA256
a308ad26b3dabb46eb2684b162e4669fe846430cc77d67270735a2873d9a57bd

SHA512
a6944c8590a7c2e61b0722f83b74b315a56aa1f30d9ae10b6492ea2615d1dafbb7c46c0ae33ad27daaaf1e4c4d394e602db07aa9e826efb7b98760824843542c

Download Submit
C:\leass.exe

Filesize
20.2MB

MD5
0edfe37277f8b9e70346d89aa478cb33

SHA1
6f0cf7607488773db450255d9fc346f250b2edb8

SHA256
96d37c3bb76d430c16f964231ae0a04cede1217a36f1f4de1ed9624ed3867c83

SHA512
dab8296f65389e7140f4e3944785baaefbd9c93833536822bb5d75fccfa0d96cba6f99c316bc5c198b9a400070c988af2a94c4810a508dfce1c7d2ac53e1550c

Download Submit
C:\rav.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads