8635797de24b5e0c21d01d09b96562970d2e55fda99c61fae89b25beedda3b37

General

Target

63df0690455265597b4567188a8b33a4_JaffaCakes118.exe
Size

382KB
MD5

63df0690455265597b4567188a8b33a4
SHA1

7720077809000c1dc63af7556df9883ec332c249
SHA256

8635797de24b5e0c21d01d09b96562970d2e55fda99c61fae89b25beedda3b37
SHA512

7e0534451f00f81c5ded0dffdb2cc732e216a66e8ba3cdfc4a4d8aec74ed1a4ed5ebcd974251819979914dd88734bc299688dfd9ccc4d531cec65126203d879c
SSDEEP

6144:SefJGWZqw3VYnHEhfTmBRJyXhGwSxtvtYcrZYrv4qd0XHkPvwrHX/kigyQkloMqZ:Lhj3VYn4CkHCvtrZw0XHrvxgTklh0Eh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3004	2.exe
2528	Common Files.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe
2564	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Common Files.exe	2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Common Files.exe	2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.BAT	2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	2.exe
Token: SeDebugPrivilege	2528	Common Files.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2528	Common Files.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3004	2564	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe	30
PID 2564 wrote to memory of 3004	2564	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe	30
PID 2564 wrote to memory of 3004	2564	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe	30
PID 2564 wrote to memory of 3004	2564	63df0690455265597b4567188a8b33a4_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2824	2528	Common Files.exe	32
PID 2528 wrote to memory of 2824	2528	Common Files.exe	32
PID 2528 wrote to memory of 2824	2528	Common Files.exe	32
PID 2528 wrote to memory of 2824	2528	Common Files.exe	32
PID 3004 wrote to memory of 2276	3004	2.exe	33
PID 3004 wrote to memory of 2276	3004	2.exe	33
PID 3004 wrote to memory of 2276	3004	2.exe	33
PID 3004 wrote to memory of 2276	3004	2.exe	33
PID 3004 wrote to memory of 2276	3004	2.exe	33
PID 3004 wrote to memory of 2276	3004	2.exe	33
PID 3004 wrote to memory of 2276	3004	2.exe	33

C:\Users\Admin\AppData\Local\Temp\63df0690455265597b4567188a8b33a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63df0690455265597b4567188a8b33a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.BAT
    3⤵
    PID:2276

C:\Program Files (x86)\Common Files\Common Files.exe
"C:\Program Files (x86)\Common Files\Common Files.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Internet Explorer\iEXpLOrE.exE
  "C:\Program Files\Internet Explorer\iEXpLOrE.exE"
  2⤵
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.BAT

Filesize
247B

MD5
3de0ac80f139833a15b1bcd0168d346e

SHA1
290acf3566d75df3a1563cfe76627547a92390a5

SHA256
b9a07fd20fd6db019bd665907a814b5acef0eb448347e45e01363ec624de58a1

SHA512
c8d2ef565a99082c9640cf552483ac7cfd15801480c08fac47479ad9d3ed7114cec6579ac69bf19ed5618230b59a25bf5850887d6dc9b4191f2415ec208e7d30

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
757KB

MD5
c8cd25c0037f8e09f461b5c4192e7fab

SHA1
7340964ac71a82bb136622160a11350a9906f63d

SHA256
d2140bad4fd5d4bddc280c3050d60fd1427412fdf73c06a444ec00bfcb19aafa

SHA512
8eba9252d445c71cd345daafc32a02338a2d11baadd88b68c529efcbca710ec10b6501943b1bad17f75347a8e7ede772559b9c78623388a9cfc5647a8d7e7fda

Download Submit
memory/2528-15-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2528-27-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2528-29-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2564-2-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/2564-25-0x0000000001000000-0x00000000010C0000-memory.dmp

Filesize
768KB

Download
memory/3004-10-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3004-24-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads