011f9c117fca91df9c6639c8d327e8b6520a790497201e54277744535014316a

General

Target

63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe
Size

269KB
MD5

63ea7d6972790c878b6400794eba3dea
SHA1

e437cccdc063e0608cba3f9dc9a3ce024ac6fb00
SHA256

011f9c117fca91df9c6639c8d327e8b6520a790497201e54277744535014316a
SHA512

04d33bfcd84f7eb12e4ca1c239f8b1a9ad759d7bb54472c5579d23eb5468a5febb125ac3e74d213a20947527841153879a049feaabe22e4e00d7bbfed66c45ed
SSDEEP

3072:mxP0uR1yinuBUurRPrwTzGav34Xu6qIxyyY7ubMT5fGbBVS3OmaDETNlw:mPhzkBUutPrUzGavQhqIYtOM5gVKfC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2136	tmp.exe
2944	server.exe

Loads dropped DLL 4 IoCs

pid	Process
2136	tmp.exe
2136	tmp.exe
2136	tmp.exe
2944	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	server.exe
2944	server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2364 wrote to memory of 2136	2364	63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe	29
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2136 wrote to memory of 2944	2136	tmp.exe	30
PID 2944 wrote to memory of 1224	2944	server.exe	20
PID 2944 wrote to memory of 1224	2944	server.exe	20
PID 2944 wrote to memory of 1224	2944	server.exe	20
PID 2944 wrote to memory of 1224	2944	server.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\63ea7d6972790c878b6400794eba3dea_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
118KB

MD5
c73677780a35ae8579d1e0d66be9e8aa

SHA1
f9a276caed97eb472b6e01a967719320bb09baeb

SHA256
d6993987555292a3baa63c014c5b71b7a5ce709681fd2c7ad3891a1db36efaeb

SHA512
6304caef2681838c0d006b71423e12b84d404a900016b37b80b3d7fd3c319781f86caaedecc031f64600671a612bb0bd64fc8b06ed1e3d6d13bbb048a2b9c175

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
55KB

MD5
a35d924fa959305dae533d0b7c559354

SHA1
1049348f7889e034c7940baa79b927d90ad66031

SHA256
0433e81d36a63336d9e2f18ae12e65ed55ca9e72c2b608f8da7ceffa4e2261c1

SHA512
3e7b4b431cfe30b9b97f588303ad0376b480194bfe511cebdb07ff333e19dc56103ecccbea4456c5de9a1b977bc05a2ee3860c135cf16326a922439b2dc656a0

Download Submit
memory/1224-35-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1224-31-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2136-24-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/2364-3-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-0-0x000007FEF596E000-0x000007FEF596F000-memory.dmp

Filesize
4KB

Download
memory/2364-2-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-1-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-46-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2944-29-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2944-34-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2944-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads