7c81dccae6c096816d41e0ca0be1234d5742372a78d2a8da8a38a50fb65e4213

General

Target

8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Size

86KB
MD5

8ab1a4db3f7b0ff75f239ee56d8e6774
SHA1

1d711badffa5c508a2d37380643c91dabdc75be7
SHA256

7c81dccae6c096816d41e0ca0be1234d5742372a78d2a8da8a38a50fb65e4213
SHA512

7f6d77aee3514587d31325228ae220917c61eddba8202d5ce77fcbc29ea83116260cfbfd175f75a813caf95597a443ba9358d9d69205a3f68f1edfdc84b50c6a
SSDEEP

1536:houpWZs7TcALe5Eaul2eaNbEAHI7fLw50MzpczDpmUvIoFCF1gBx79oK8ccBwzT:hBMmgEaudQb1HZ50MiBdgjoLKdY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Notification Packages = 61003900380075002e0064006c006c00000073006300650063006c00690000000000	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\a98u.dll	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a98u.dll	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1232	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	18
PID 560 wrote to memory of 1232	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	18
PID 560 wrote to memory of 1328	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	19
PID 560 wrote to memory of 1328	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	19
PID 560 wrote to memory of 1384	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	20
PID 560 wrote to memory of 1384	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	20
PID 560 wrote to memory of 1240	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	22
PID 560 wrote to memory of 1240	560	8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe	22

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8ab1a4db3f7b0ff75f239ee56d8e6774_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Boot or Logon Autostart Execution: Authentication Package
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Authentication Package

1

T1547.002

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Authentication Package

1

T1547.002

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\s20BA.tmp

Filesize
72KB

MD5
8f2b5c32b2379a5123c2ac35a4a6debb

SHA1
306609b3019cf9fa694561d419317921f30a80a1

SHA256
cf4c535ec8c2127e99b41c03b312eb70c2342c58f4c83cc011ecc172595a897f

SHA512
25bc7fadcb80c8d035816c0878c3e4a326af43a3c3dbff3df81d88b0c36b1694033f6c2296ef5b1a13671f6aa45d8c6c3c9a4e3430e4854719ea6b3ce6b37cb3

Download Submit
memory/560-0-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/560-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1232-10-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1232-9-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads