a62eac7125d6a8e953325e4408f6f6ab187c808f9bfc0334e4d8723fae97c021

General

Target

3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe
Size

18KB
MD5

3fad2378feab32b6d3f8b955d98038b2
SHA1

626d2a65d0c22ad510445171234d314bf93d0a2e
SHA256

a62eac7125d6a8e953325e4408f6f6ab187c808f9bfc0334e4d8723fae97c021
SHA512

4436ac40b5042eb768285dfdb074453a5431a145d24ec3b7211f296a00d09ec60f4fcf5a9e71ea02769df5f6598069bb8bbc2f425ddd777a168e51adb68c6cbe
SSDEEP

192:cZh9iPRuyEmDYGpMtLYOzgfwN4rUMGA5+bc7+jR9nsVVI+1k1ygJtac:MhEMyRYGKtLUlxGC+bXsVK+1k1ygbac

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\schost.js	3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\codec.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mscode = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"	3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 2968	4776	3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe	101
PID 4776 wrote to memory of 2968	4776	3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe	101
PID 2968 wrote to memory of 2916	2968	vbc.exe	103
PID 2968 wrote to memory of 2916	2968	vbc.exe	103

C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fad2378feab32b6d3f8b955d98038b2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rtuvsozl.cmdline"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E4265398D874D07AA988925F8C33978.TMP"
    3⤵
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES96EC.tmp

Filesize
1KB

MD5
7fffb4c41bedfa37e1f4c8fa297ca107

SHA1
374173ea82cdffa4deb9882bce96eb7db50eed91

SHA256
e0f56e9f15f8c1844dd40ed911732fb893142a39aad98261305f9b133c7c2b35

SHA512
e7be71e867e636f85ee7f8575b20e6c0b9b0a52a77fba51f596278e12667c9a5696a3ba64367e538995078f9758edc97e7d5f93d08dc437fadd59fca25c5bb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtuvsozl.0.vb

Filesize
193B

MD5
c9affc499509d8a9c1b93e9590e55d7f

SHA1
832ddeefbe416bb4bb5349e3d44d660cf69614c6

SHA256
4e4d855ef36455df9965a719b2ecaf3e5f1fc3fb614eba6c377e4b3696106249

SHA512
fdb98921f4001e56d46dd17975fa41e76e6f2028d509cd38266e5889279690ab04d0548547ab26629bfba3855b0e6817650abac5e6f086a464ed56bfb3b4f16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtuvsozl.cmdline

Filesize
193B

MD5
8ba4081d3249e55a443a936663b5791f

SHA1
d1727b9a39cfd39532a4f9e9c337665085bd4532

SHA256
932aec4c58075b180bf41b9261576c838c6021b7fe806c57a70d8290f33f5e1d

SHA512
c974d836b88b3134c691c303a5c3eca7ac5151cef7f63604ad2dffe469e17ed0078ae4bff7ff67578965dd9fb5239430cb757a472690a2a7ad5279e70328c751

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7E4265398D874D07AA988925F8C33978.TMP

Filesize
636B

MD5
4ae835497e2f7ceaf82995a952ab9488

SHA1
4800591a27a535f287c294cb30e79f951ffa6e93

SHA256
f2811dc74cc9db37a8327e8cf3b9b87c86a1628446178c6fd53476c9293a8ca5

SHA512
e292c23402150a0031fb01997ed8e7cf3871957906360fad7f6fbdc2f9695791020fab8ce066436aa96c17811a84174ce5b7206e16a98f8b3ddebe4ff217e19c

Download Submit
memory/2968-22-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

Filesize
9.6MB

Download
memory/2968-14-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

Filesize
9.6MB

Download
memory/4776-3-0x000000001C4B0000-0x000000001C556000-memory.dmp

Filesize
664KB

Download
memory/4776-7-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

Filesize
9.6MB

Download
memory/4776-6-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

Filesize
9.6MB

Download
memory/4776-5-0x00007FFDA39F5000-0x00007FFDA39F6000-memory.dmp

Filesize
4KB

Download
memory/4776-4-0x000000001C5D0000-0x000000001C632000-memory.dmp

Filesize
392KB

Download
memory/4776-0-0x00007FFDA39F5000-0x00007FFDA39F6000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x000000001BFE0000-0x000000001C4AE000-memory.dmp

Filesize
4.8MB

Download
memory/4776-1-0x00007FFDA3740000-0x00007FFDA40E1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads