e6c3370a121b74be33af5c7daf69750fd1eef77f9a668fcb18639e3da808d67c

General

Target

5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe
Size

382KB
MD5

5b532b0a545e3cbee73ac9d12192dbd6
SHA1

020d19ae4625d9f8536a3e9105c4790ab54dfe64
SHA256

e6c3370a121b74be33af5c7daf69750fd1eef77f9a668fcb18639e3da808d67c
SHA512

7adc7b575fc4bae37bd8d58aa8f8f765adea7dec502d4c2a93b9171b5ae6ee5b2acfee121e4c5d48148559ec23673e12c82da1a39c57cbcb24b8301f9c83d51d
SSDEEP

6144:2WaEC2hxAMAhymq6BE8PCaN633aHHc5UykfEOOy+ZXf7UTmmjf/b8NPTZ/5J83:djhKJhDBE263d1kfIZvyjr0ZD83

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1648	Setup.exe
2152	yxxsj.exe

Loads dropped DLL 4 IoCs

pid	Process
2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe
1648	Setup.exe
1648	Setup.exe
1648	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\yxxsj.exe	Setup.exe
File opened for modification	C:\Windows\yxxsj.exe	Setup.exe
File created	C:\Windows\uninstal.bat	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	Setup.exe
Token: SeDebugPrivilege	2152	yxxsj.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	yxxsj.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2312 wrote to memory of 1648	2312	5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2616	2152	yxxsj.exe	32
PID 2152 wrote to memory of 2616	2152	yxxsj.exe	32
PID 2152 wrote to memory of 2616	2152	yxxsj.exe	32
PID 2152 wrote to memory of 2616	2152	yxxsj.exe	32
PID 1648 wrote to memory of 1152	1648	Setup.exe	33
PID 1648 wrote to memory of 1152	1648	Setup.exe	33
PID 1648 wrote to memory of 1152	1648	Setup.exe	33
PID 1648 wrote to memory of 1152	1648	Setup.exe	33
PID 1648 wrote to memory of 1152	1648	Setup.exe	33
PID 1648 wrote to memory of 1152	1648	Setup.exe	33
PID 1648 wrote to memory of 1152	1648	Setup.exe	33

C:\Users\Admin\AppData\Local\Temp\5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b532b0a545e3cbee73ac9d12192dbd6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:1152

C:\Windows\yxxsj.exe
C:\Windows\yxxsj.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
158B

MD5
5c7ac7be691db8bc6ab3d17f804859d0

SHA1
fa1af53cd2c7a7ccbecf3dfa728ddac591ac73a0

SHA256
c078e1033ad4d87f6f7399c028410e2785528064086a7147ee067ffce113fcb1

SHA512
2e10ee35e3574bacabcdf43f9d50d42ec91eacbb23ab3f39ecd28358eee550ef157ea15fa4e73449a28b2002043030da13239aee325b94ff0d0b4ca42af42f8c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe

Filesize
743KB

MD5
6d426a0b603dfd68be553d6d8b9faa26

SHA1
6a21b635ead0bd4e83f27e8f20c8eeb64b50966c

SHA256
3292745838d07161d7efc23e7139e065eb18ff626d0361dc7a0e54957ff13507

SHA512
306634affc21d9270f5c7a803799b658bb114a6e3ac2c4beef6e65cf1771c4e8a4bd13f056ffe92b690b477c15be71453597dbf742e85c9abd8c0327316897c6

Download Submit
memory/1648-23-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2152-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2152-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2152-28-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2312-2-0x0000000001000000-0x00000000010C1400-memory.dmp

Filesize
773KB

Download
memory/2312-24-0x0000000001000000-0x00000000010C1400-memory.dmp

Filesize
773KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads