17d1effba6fe6e680a6b9ef72022633f32fdaec98d50a7d8a3f7dfded45c82cc

General

Target

8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe
Size

80KB
MD5

8ed7abf5d73ccd79f86ccb626beace87
SHA1

eda793ed9d007fd2cee15a770a744d2c61039445
SHA256

17d1effba6fe6e680a6b9ef72022633f32fdaec98d50a7d8a3f7dfded45c82cc
SHA512

83e65dc3c4ec751fba85659c0215783841ebd3ce8ed118d1ac2fe0b841536619f797b1a37e6e1974e113f19203ffb45188f3bbbb8d4babe56523a46a411d3e6d
SSDEEP

1536:ufKEw/vygSorO7O5m+xrb2hDkXYVF2f0R909VCOX3:SK/nSoK7O5muUDnVF269gh

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
19	2216	rundll32.exe
21	2796	rundll32.exe
20	2796	rundll32.exe
28	2796	rundll32.exe
42	2796	rundll32.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	rundll32.exe
2796	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46 = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\2283880F-EF87-4aac-8EBD-C9BCC8494AF5_46.avi\", start"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe
Token: SeDebugPrivilege	2216	rundll32.exe
Token: SeDebugPrivilege	2796	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2216	4760	8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe	87
PID 4760 wrote to memory of 2216	4760	8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe	87
PID 4760 wrote to memory of 2216	4760	8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe	87
PID 2216 wrote to memory of 2796	2216	rundll32.exe	90
PID 2216 wrote to memory of 2796	2216	rundll32.exe	90
PID 2216 wrote to memory of 2796	2216	rundll32.exe	90

C:\Users\Admin\AppData\Local\Temp\8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ed7abf5d73ccd79f86ccb626beace87_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\\ccaaf651-b1ea-462e-ac9f-50a57e8464c9\wrkBB8F.tmp_46", start first worker
  2⤵
  - Blocklisted process makes network request
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\\ccaaf651-b1ea-462e-ac9f-50a57e8464c9\wrkC505.tmp_46", start task worker
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ccaaf651-b1ea-462e-ac9f-50a57e8464c9\wrkBB8F.tmp_46

Filesize
80KB

MD5
35012beb8d0d30dae83ace395352e87d

SHA1
97c729bb8dba416b3615fd44bce298ca6f44d666

SHA256
28087d7e5595246176ffd189ea95197f76d02e31b1cb54dec16de6213aa2dc70

SHA512
99788553e95d29b5d11959c327b11f0b2bd5685cabfd69d871a0a662fd90650eafa9a1b94ed216a26e70989f0cd7788053a112c4bdf2d0d0dea7f8e0492468a5

Download Submit
memory/2216-11-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2216-31-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2216-29-0x0000000074DB0000-0x0000000074DD7000-memory.dmp

Filesize
156KB

Download
memory/2216-18-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2216-10-0x0000000074DB0000-0x0000000074DD7000-memory.dmp

Filesize
156KB

Download
memory/2796-27-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2796-22-0x0000000073880000-0x00000000738A7000-memory.dmp

Filesize
156KB

Download
memory/2796-32-0x0000000073880000-0x00000000738A7000-memory.dmp

Filesize
156KB

Download
memory/2796-33-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2796-40-0x0000000073880000-0x00000000738A7000-memory.dmp

Filesize
156KB

Download
memory/4760-7-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

Filesize
156KB

Download
memory/4760-0-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

Filesize
156KB

Download
memory/4760-2-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/4760-1-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads