cdd8bbf9fbeb5cc7b395b73bfa5db8467b7cb6478d0d168b86e4492ba79f0f61

General

Target

4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe
Size

58KB
MD5

4b81bbecf4b1d2a7d5ea64e1ba8a86df
SHA1

ec5f1121666144686e9a66479639fecdf915539e
SHA256

cdd8bbf9fbeb5cc7b395b73bfa5db8467b7cb6478d0d168b86e4492ba79f0f61
SHA512

fb646c8bcfb9921eced357a3f84fc8a03b8b2534d724996921430594441def443e54fcfdc0ca2ad8f4594fff6b8dc002f47f97d47ae50b7f05dce5c36142d374
SSDEEP

1536:4VRJvUD/EIrndB37OltiaPk19rXYLsoe4Gy+L8mIV/L/DM:2JI/EIzTClvPkLMQltLIzrDM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2948	spoolsvc.exe
2216	iexplore.exe
2528	winamp.exe

Loads dropped DLL 6 IoCs

pid	Process
2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe
2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe
2948	spoolsvc.exe
2948	spoolsvc.exe
2216	iexplore.exe
2216	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winamp.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\winamp.exe	iexplore.exe
File created	C:\Windows\SysWOW64\wdea.bat	iexplore.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplore.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\iexplore.exe	spoolsvc.exe
File created	C:\Windows\SysWOW64\bggfd.bat	spoolsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2616	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2616	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2616	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2616	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2948	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2948	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2948	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2948	2864	4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe	32
PID 2948 wrote to memory of 2096	2948	spoolsvc.exe	33
PID 2948 wrote to memory of 2096	2948	spoolsvc.exe	33
PID 2948 wrote to memory of 2096	2948	spoolsvc.exe	33
PID 2948 wrote to memory of 2096	2948	spoolsvc.exe	33
PID 2948 wrote to memory of 2216	2948	spoolsvc.exe	35
PID 2948 wrote to memory of 2216	2948	spoolsvc.exe	35
PID 2948 wrote to memory of 2216	2948	spoolsvc.exe	35
PID 2948 wrote to memory of 2216	2948	spoolsvc.exe	35
PID 2216 wrote to memory of 2140	2216	iexplore.exe	36
PID 2216 wrote to memory of 2140	2216	iexplore.exe	36
PID 2216 wrote to memory of 2140	2216	iexplore.exe	36
PID 2216 wrote to memory of 2140	2216	iexplore.exe	36
PID 2216 wrote to memory of 2528	2216	iexplore.exe	38
PID 2216 wrote to memory of 2528	2216	iexplore.exe	38
PID 2216 wrote to memory of 2528	2216	iexplore.exe	38
PID 2216 wrote to memory of 2528	2216	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b81bbecf4b1d2a7d5ea64e1ba8a86df_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\daix.bat" "
  2⤵
  - Deletes itself
  PID:2616
- C:\Windows\SysWOW64\spoolsvc.exe
  C:\Windows\system32\spoolsvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\SysWOW64\bggfd.bat" "
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\iexplore.exe
    C:\Windows\system32\iexplore.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\SysWOW64\wdea.bat" "
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\winamp.exe
      C:\Windows\system32\winamp.exe
      4⤵
      Executes dropped EXE
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\daix.bat

Filesize
240B

MD5
de05ecd474eaf5d7af307e8ffa9ff2d7

SHA1
8b3c195175fd55099f0615ce303ac0f36a1f7ca3

SHA256
d2029dd105740c9220bb40f294deac219bc2cb57b12e8852e9c53c1239ea185f

SHA512
7d42ed9010af71950964ea60b0c474e03a53f3d0b3372db1ec07db6ce5996b3833eb2f885c74cfa5e34f7c14703d079eaa8494d8fe1eeba0e041cfc90eb2a738

Download Submit
C:\Windows\SysWOW64\bggfd.bat

Filesize
127B

MD5
68bfd86a0945abf82d6317c4f9d90952

SHA1
48a3da193cc7dfc16fee1574737c683bf8d2188e

SHA256
1d0873c96322b6d15a576eecc8212506abb2d4d3e65a2c6dda6b8f176776d31d

SHA512
a9ece7c9204996ff3e1503dba4fc0c3572919c1abe933a81606aa95cd14cf359b3d474d7679f241362798324a85fca1a187b0e37354f91d6b9ed8dd7e2525d2a

Download Submit
C:\Windows\SysWOW64\wdea.bat

Filesize
126B

MD5
2d7d9c1af97bd6bdb73f4633a26f7831

SHA1
a167de41a987e800f5e7ef64f60f43aec1fbb84f

SHA256
52e0eea00f3cd890e450d28c3da2e6c9c68767682c944f20c86822fb0c8a8125

SHA512
5a3429414bda97363248fdf857ff545e4320b2244871015465c471271c36ce1b0daffb66b659566b7535e4b3f956670260632a3dd8185fc16f4a23e657d12b57

Download Submit
\Windows\SysWOW64\spoolsvc.exe

Filesize
58KB

MD5
4b81bbecf4b1d2a7d5ea64e1ba8a86df

SHA1
ec5f1121666144686e9a66479639fecdf915539e

SHA256
cdd8bbf9fbeb5cc7b395b73bfa5db8467b7cb6478d0d168b86e4492ba79f0f61

SHA512
fb646c8bcfb9921eced357a3f84fc8a03b8b2534d724996921430594441def443e54fcfdc0ca2ad8f4594fff6b8dc002f47f97d47ae50b7f05dce5c36142d374

Download Submit
memory/2216-49-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2216-71-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2216-72-0x0000000003430000-0x000000000395D000-memory.dmp

Filesize
5.2MB

Download
memory/2528-74-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2528-76-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2864-22-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2864-21-0x00000000038B0000-0x0000000003DDD000-memory.dmp

Filesize
5.2MB

Download
memory/2864-0-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2864-1-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2948-24-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2948-48-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing