663209674060d85bd422a01fbfec72d43bb9f3771823fabe5dffb117012122bd

General

Target

5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Size

196KB
MD5

5f30a44887d77ef2b49b132459d9d838
SHA1

b52fb37ffd170030d841713710d79792f59abd95
SHA256

663209674060d85bd422a01fbfec72d43bb9f3771823fabe5dffb117012122bd
SHA512

aea0941cc8da7e247ea205d44630bc49b09519645374c9c629f1c0d08f0d6bab2b08ad06102d9e409f3f5f2fcb02e6c26ceaad68617d47d2d1346c5d4ff2893e
SSDEEP

3072:m+GZ5ASSXyvclqCE8l8VutkQPFyQQz70DXdbMpN/Iva8Dp:m+YoqcllLleuyQPFQz7CqNQva8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeBackupPrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
Token: SeRestorePrivilege	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3612	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe	84
PID 3244 wrote to memory of 3612	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe	84
PID 3244 wrote to memory of 3612	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe	84
PID 3244 wrote to memory of 3424	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe	96
PID 3244 wrote to memory of 3424	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe	96
PID 3244 wrote to memory of 3424	3244	5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f30a44887d77ef2b49b132459d9d838_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:3424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
21451767bf78329b0f71cb6df1067585

SHA1
a2f8fa04fb3391b74676f4e09e00bf9555b92789

SHA256
816e2542516b0938cd0f16e457a9dc3d0593c7b2012cc612bf3cf428335b9e55

SHA512
6c070ec70eb2d9cf9f2a01b86e902fd162ccd39f514ac9879702072fb61fc7d52bfa178fa579c055f93f27592fa9dec50673759a37f0ec4cefd963a2831840ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
4d0b3d85f93acea274d2a40e1985c945

SHA1
3a1a64ad0e0cbbc6238f47daab253426301bc540

SHA256
cd0dc23716c4e42e0994a98e53935ef2cfb1b8c3b32f2512775bed74749ba92f

SHA512
ec3682ed902be09bc20074d9d57c8a797c10057e175bb32db91af0308e5264641d8cabe48d71b41857b4e74d83218edb0c7675ad13c63165518e5a15fdd3bff1

Download Submit
C:\Windows\Help\B41346EFA848.dll

Filesize
117KB

MD5
191ce92ecbe4d75815382cc722b38ca8

SHA1
af25f22dd721589fa7c114e609c3a28c902faf9d

SHA256
1bbba303132b87e6e749a3c9548992c9b8493df111aaa365e31d3e3e88c5118c

SHA512
b2c1ab3e269b676816da9478d93272bca3798d7afe7f79414bd1de638e73bf097b2a018d6c1e13054fea0064bd50e8ea999b9da5ffcb3c8acf7e3aa2c4f76888

Download Submit
memory/3244-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3244-12-0x00000000008A0000-0x00000000008F0000-memory.dmp

Filesize
320KB

Download
memory/3244-15-0x00000000008A0000-0x00000000008F0000-memory.dmp

Filesize
320KB

Download
memory/3244-14-0x00000000008EC000-0x00000000008ED000-memory.dmp

Filesize
4KB

Download
memory/3244-17-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3244-18-0x00000000008A0000-0x00000000008F0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing