d490de05314255cb970a526326d25956ec0448b507ee770f825a5778dab48a20

General

Target

677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe
Size

290KB
MD5

677e9ab97db7c24adfb4cfcbd9d08b9c
SHA1

559a533a3e6cec3d4730476b28e1e75010394009
SHA256

d490de05314255cb970a526326d25956ec0448b507ee770f825a5778dab48a20
SHA512

9173aecfadc52f47a648295744099fd791c62e2056b1328df9d127381250d13cdfcde023f6ac8bdbed59c9cb6260b0ebc104c4a74db362911bb6d771010e8f04
SSDEEP

6144:8VSEn9toc0w3z62HMaDVGgcaPYJYRHKYttOjt+yYrHDqkdvT1Uh:2SEn9toc0J9aD00QUqcOjtYTGkdb1

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
864	Process not Found
1196	Explorer.EXE

Loads dropped DLL 7 IoCs

pid	Process
2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2140	rundll32.exe
2704	cmd.exe
2468	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\chkn_ssp.dll	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe
File created	C:\Windows\system32\chkn_ssp64.dll	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2140	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2140	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2140	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2140	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2052 wrote to memory of 2704	2052	677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe	31
PID 2140 wrote to memory of 1196	2140	rundll32.exe	21
PID 2140 wrote to memory of 1196	2140	rundll32.exe	21
PID 2704 wrote to memory of 2468	2704	cmd.exe	33
PID 2704 wrote to memory of 2468	2704	cmd.exe	33
PID 2704 wrote to memory of 2468	2704	cmd.exe	33
PID 2704 wrote to memory of 2468	2704	cmd.exe	33
PID 2704 wrote to memory of 2468	2704	cmd.exe	33
PID 2704 wrote to memory of 2468	2704	cmd.exe	33
PID 2704 wrote to memory of 2468	2704	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2468	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
PID:1196
- C:\Users\Admin\AppData\Local\Temp\677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\chkn_ssp64.dll",CreateProcessNotify
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259447087.bat" "C:\Users\Admin\AppData\Local\Temp\677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h"C:\Users\Admin\AppData\Local\Temp\677e9ab97db7c24adfb4cfcbd9d08b9c_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Views/modifies file attributes
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Privilege Escalation

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259447087.bat

Filesize
97B

MD5
d226a657b279c5fc0a892748230a56ff

SHA1
fa7e4fb6d6de3c4769001cbfce0a00ba02ef28a5

SHA256
9dae2767b8e3499d37418a75ddd04d457c7ec8d6c8f312ee109c95a8a97e7761

SHA512
07d55ccf3b511c3be64f6dcd05cea3feaafb286196e5d7ba30016ab6d9c0d656fb7cde8eb1ce0ef28a41f1f3f00f0e29020c92479619fd43e4ed47b829f8bf2a

Download Submit
\Windows\SysWOW64\chkn_ssp.dll

Filesize
87KB

MD5
e180d2ac1210cdc43f3e5deab729f74f

SHA1
927ac8e55ed0f4380d0871ccfad92f2a6df82900

SHA256
9d69c0bb084c2dc4ebc67c5cd146f2e38bb889ae369032c5bf425b6a09a893b2

SHA512
10a1b994501eb9835dc69f2d9c73b6bd229688ed948d7a304667318a69b011e91da46f4cb48d5f8a1ec548bfa3a4a2342eef76e209accbf41212808faf9e61f5

Download Submit
\Windows\System32\chkn_ssp64.dll

Filesize
98KB

MD5
7f1809baa56d52007a4450d8c0b1784c

SHA1
3067fbd21e0a45bbcf41ee84b5bb09b2b76ee236

SHA256
40a2dc49d319b8a44c75185e75d68e3044c2a4ceb39684d99c6509ccd871f959

SHA512
d7bccd5a83b9c3905531785029501030d6357f312c979ce4f22d80145e0752734bb80c7a92c471bbfa35b758d97081f030039b063f776037dd296cd9b46e8fdd

Download Submit
memory/1196-39-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1196-45-0x0000000180000000-0x000000018001D000-memory.dmp

Filesize
116KB

Download
memory/2052-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2052-9-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2052-1-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2052-33-0x0000000001000000-0x000000000104B000-memory.dmp

Filesize
300KB

Download
memory/2052-35-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2052-2-0x0000000001000000-0x000000000104B000-memory.dmp

Filesize
300KB

Download
memory/2052-8-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2052-0-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2140-16-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2140-36-0x0000000180000000-0x000000018001D000-memory.dmp

Filesize
116KB

Download
memory/2468-52-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2704-24-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2704-53-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads