7c08754a90a54e8ff5f33c02d83a5de7807d99fe26c66941c6fe6e73a18cadca

General

Target

4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe
Size

11KB
MD5

4610f61f6f542b457ee4aa391bdb5ae9
SHA1

e271a1ca50fe04554ef9ab982f5e3918d9490fb9
SHA256

7c08754a90a54e8ff5f33c02d83a5de7807d99fe26c66941c6fe6e73a18cadca
SHA512

e9ebdc5370c36d10abcb548ba067ead06f09bea470c9e7a6669e4e9166046891fcc5da9cd587b0d2db2b1b42d1f22de58fb28e83027636392368db3ca9882edb
SSDEEP

192:NErlncuFLrflfLN8EMOGk0XhhT09GP1sHOEF/NKI2mvwl3LQpc5:NErln5dWEjGk0XGsEpcZnx

Score

8^/10

persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2144	cmonosk.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe
2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000016c96-3.dat	upx
behavioral1/memory/2144-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2648-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmonos.dll	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmonosk.exe	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmonosk.exe	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2144	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2144	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2144	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2144	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2552	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2552	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2552	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2552	2648	4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\cmonosk.exe
  C:\Windows\system32\cmonosk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

2

T1546

Accessibility Features

1

T1546.008

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

2

T1546

Accessibility Features

1

T1546.008

AppInit DLLs

1

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4610f61f6f542b457ee4aa391bdb5ae9_JaffaCakes118.exe.bat

Filesize
210B

MD5
838f3d86348fdf9a396d077c63e7848a

SHA1
3345f7c055d1fef29c6864ce7109e2e6972f5d90

SHA256
384a7252d44827c652fa34db7bbcb15325dc774a0dbacb1e680474bf3717b75c

SHA512
e54d74b08f60af316f63fc9af942ca7355586cb89c144c9af0216eaf79fae1e522727d3b777564d6b65f673e8326a85a619dfe71261ada94e05ef0a630b63344

Download Submit
\Windows\SysWOW64\cmonosk.exe

Filesize
11KB

MD5
4610f61f6f542b457ee4aa391bdb5ae9

SHA1
e271a1ca50fe04554ef9ab982f5e3918d9490fb9

SHA256
7c08754a90a54e8ff5f33c02d83a5de7807d99fe26c66941c6fe6e73a18cadca

SHA512
e9ebdc5370c36d10abcb548ba067ead06f09bea470c9e7a6669e4e9166046891fcc5da9cd587b0d2db2b1b42d1f22de58fb28e83027636392368db3ca9882edb

Download Submit
memory/2144-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2648-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2648-11-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2648-10-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2648-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2648-17-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download
memory/2648-18-0x0000000000240000-0x000000000024F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing