3a81661b4f7e5d2e44847a52b46b49fb92fa2e12a4e3ab63df4b248966397567

General

Target

4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe
Size

145KB
MD5

4797668cd0a042063e3d2f34aaf3333c
SHA1

fdf90f965acbee58ee8e31fa62ddb657cfc12eb0
SHA256

3a81661b4f7e5d2e44847a52b46b49fb92fa2e12a4e3ab63df4b248966397567
SHA512

1deb315b1bed701b191a0454d44fde877b1712215864c2274c0df29f6ed6c5e91f59a563fe7864252d5f201ea27ba6532b2b217a117a36a211261321fb241f4c
SSDEEP

3072:3R1+aJe1mgawzxsBub861jIHxowR1sxn8xfyRGF27T+Ihi0Mbk6/pb8DEc3OjQD8:3RUTV5ny1sl44FMbkm5c3rZFPM0pjmbp

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2560	serv.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	serv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\serv = "C:\\Windows\\serv.exe s"	serv.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kbdkwmas.dll	serv.exe
File created	C:\Windows\SysWOW64\mscowmsd.exe	serv.exe
File created	C:\Windows\SysWOW64\msvcwuap.dll	serv.exe
File created	C:\Windows\SysWOW64\e1.dll	serv.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\serv.exe	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe
File created	C:\Windows\serv.dll	serv.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2436	notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2560	serv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	serv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2560	serv.exe
2560	serv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2560	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2560	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2560	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2560	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2436	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2436	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2436	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	32
PID 2452 wrote to memory of 2436	2452	4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe	32
PID 2560 wrote to memory of 1216	2560	serv.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4797668cd0a042063e3d2f34aaf3333c_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\serv.exe
    C:\Windows\serv.exe s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\System32\notepad.exe C:\Users\Admin\AppData\Local\Temp\E908.tmp
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E908.tmp

Filesize
57KB

MD5
d0785b121e000f88505b8c17b2ff6efd

SHA1
84434ecf6679e1e25c4b7c8222f47a1b08f0a861

SHA256
436f40a571290e80c9807db68d172a7b806a50218fe200e266070a4d615c398e

SHA512
4f8136f9791723de0b43f1bdf19ac47e6bddfbb31cdfdccaf51bfe22ff2d2a01c1e507d295cbe7d41dea2af051858ba95d577a711523492f89697f486eb88bf9

Download Submit
C:\Windows\serv.exe

Filesize
145KB

MD5
4797668cd0a042063e3d2f34aaf3333c

SHA1
fdf90f965acbee58ee8e31fa62ddb657cfc12eb0

SHA256
3a81661b4f7e5d2e44847a52b46b49fb92fa2e12a4e3ab63df4b248966397567

SHA512
1deb315b1bed701b191a0454d44fde877b1712215864c2274c0df29f6ed6c5e91f59a563fe7864252d5f201ea27ba6532b2b217a117a36a211261321fb241f4c

Download Submit
\Windows\SysWOW64\msvcwuap.dll

Filesize
20KB

MD5
f76d28f5028944a79b35ff1eceda8e97

SHA1
ecd7ab75eb98fe8b424bdc2f9bead7045eb95b46

SHA256
1bcb085f7d3507ad1966427eee490c18a1df054d9262ccedf6b3e4230befdbb7

SHA512
ab5addcdfd097e48ec6c17f79955f3b77ecdfa33e572a1cb49cba4114998ea7da5e417fc38de4d378c5b7b2cbf925e4751ab8d6936136315ca048e16e8296f0e

Download Submit
memory/1216-20-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2452-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2452-8-0x0000000000620000-0x00000000006A2000-memory.dmp

Filesize
520KB

Download
memory/2560-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2560-22-0x0000000000260000-0x0000000000265000-memory.dmp

Filesize
20KB

Download
memory/2560-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads