4d8b73a13fe6dcda03178ff40a9df17b13836077f25f4817e1c1da6d509c3ce2

General

Target

5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
Size

108KB
MD5

5f7acfc3f73851f71c57dc8c456f67e9
SHA1

7473892e888cee4adf18d79f620b03731acde5e9
SHA256

4d8b73a13fe6dcda03178ff40a9df17b13836077f25f4817e1c1da6d509c3ce2
SHA512

21981e92d8e86a3e8364967cc958e577051b008993bf175c4f002a5332a0fb763cb664e3d28197d5eb6520223d67a2bdfdcaa84a091751fe4f30ef835133ccf2
SSDEEP

1536:KGxnN7Og8qXWVCVn/Uy18vjfYw2q1T4F0f:KmhB8qXWm/lNk

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12345678-xtxt-14d0-89bb-0090ce808666}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12345678-xtxt-14d0-89bb-0090ce808666}\StubPath = "C:\\WINDOWS\\system32\\xtzc.bat"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\sunxt.dll	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xt.reg	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xtzc.bat	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xt.bat	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\system\svchost.exe	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1984	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2504	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2504	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2504	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2504	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2924	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	31
PID 1644 wrote to memory of 2924	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	31
PID 1644 wrote to memory of 2924	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	31
PID 1644 wrote to memory of 2924	1644	5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe	31
PID 2924 wrote to memory of 1984	2924	cmd.exe	33
PID 2924 wrote to memory of 1984	2924	cmd.exe	33
PID 2924 wrote to memory of 1984	2924	cmd.exe	33
PID 2924 wrote to memory of 1984	2924	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f7acfc3f73851f71c57dc8c456f67e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644
- C:\WINDOWS\system\svchost.exe
  C:\WINDOWS\system\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\WINDOWS\system32\xt.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s xt.reg
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Runs .reg file with regedit
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xt.bat

Filesize
21B

MD5
2ba4207021f8696b6045afded160a687

SHA1
5d9185f427b2042be732981ecba0567b6dcace5e

SHA256
18cef5518a27089e661bb711306d137788279bbc28fb790689436af3adf5212a

SHA512
c6b472a950fd2f3a4f14e3b65fb9d34537f4b1a763ed71f481e868e20d72495a113f97a71c7b85ed8affabc211a8aab6e4b684deaaf659e6f8d4dd9e4d63bbcb

Download Submit
C:\Windows\SysWOW64\xt.reg

Filesize
312B

MD5
80cd7e4e842cce9672f2a81c0d3c47e4

SHA1
ff8c9f6396c6bb9ac0391ff721d3915a601c5564

SHA256
4390586f42950b608bcb8188a6c4a084d908b9fa42fdffc6d7be790730bb4ab6

SHA512
e83664459d48a822392dccfa06fe2f4ffc368740d0fcec5d36cc5045cb26358be20e5890d867e48b13bedb1c630ee193a672b593a0200cdf12d2df41f324db83

Download Submit
\Windows\system\svchost.exe

Filesize
40KB

MD5
b8d357d10e94a9d7045ecc8d62c0a23e

SHA1
11a9003f0c44e166af2981905bed75f3127522bb

SHA256
aeed5ec72a08bcf32b0066aa61c1057605793e166fa261090cad9fbe04dc13ac

SHA512
b9470028da11dd892ff5d41270e74bc507fcf89d28e0f2d5c2a5d53a1afd30ea09a40b7dd7d8910b196a0af1f7290eb06a9d9edc4bf0567bdcfa108ae8e95403

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads