db59a9ab2b85f2563563da0868de87cabfce29601b3b040894a2d8e5bd0e7005

General

Target

939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Size

158KB
MD5

939e2c9b64a6ac71e40f6738cb436a18
SHA1

a824ac5547e2af48bd03f02e2440ed81bef62125
SHA256

db59a9ab2b85f2563563da0868de87cabfce29601b3b040894a2d8e5bd0e7005
SHA512

22ff96c101b1acd3887be0d6b2dca0f66f71f997c515ec1e995d63f0f2f29dd96c7d0af4306bd5ffebe1a0b5609fd0abc3d1330e3084d2dd91b4413c4265e1f0
SSDEEP

3072:MR/8rqUUfxIdq1n2UuAr2zJxJDwHTkjRzJFkPnHcCzbKtZc:MB85UfxIcevwHAjRlFkPnHc2utZc

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1180	Explorer.EXE
472	services.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 2404	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\@	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
File created	C:\Windows\Installer\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\n	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\\n."	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\\n."	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\clsid	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Token: SeDebugPrivilege	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Token: SeDebugPrivilege	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
Token: SeBackupPrivilege	472	services.exe
Token: SeRestorePrivilege	472	services.exe
Token: SeSecurityPrivilege	472	services.exe
Token: SeTakeOwnershipPrivilege	472	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1180	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	21
PID 1740 wrote to memory of 1180	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	21
PID 1740 wrote to memory of 472	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	6
PID 1740 wrote to memory of 2404	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2404	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2404	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2404	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2404	1740	939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe	30

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1180
- C:\Users\Admin\AppData\Local\Temp\939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\939e2c9b64a6ac71e40f6738cb436a18_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\systemroot\Installer\{15366efd-cfd9-0c16-f3c4-ad88e049c25a}\@

Filesize
2KB

MD5
59fcdc3c942658dd7d6a4e95ed457ae5

SHA1
22097cc8d3f46dec6aacd15386053b19c5f7a11a

SHA256
add35cf56948f3fff305b98f8242bd9f5fc4ebdcff6a0937814bedf1d8402a11

SHA512
f808fb7622f231908957682978a003779dd0f6d1e1cd063f0d90a679f58bbe5dfe83b3e143a7530da3520ff937f3c6e667a33eb38f9d96d089b62d25d87773f2

Download Submit
memory/472-11-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/472-19-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1180-3-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1180-17-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1180-18-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1740-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1740-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing