1f3f62f463864cf4ed2d35f3d2b2d3ed1cf6a38c206bf19b5f3227496a4eb19f

General

Target

a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Size

236KB
MD5

a14124a3f85e4b827de7fc26f3f8a486
SHA1

297681b8de6ba22ddadae836772f41126565dc77
SHA256

1f3f62f463864cf4ed2d35f3d2b2d3ed1cf6a38c206bf19b5f3227496a4eb19f
SHA512

c4eff1395ff4321a09791f8581f0e86f2d72ce968a3da779ab9ce94f70b2e0ab830d340a10993fa0d3e241326269f021f78223e8ce4e5cd81d88b735b7ebdebd
SSDEEP

6144:hZiKocSHVJgztFoJqu4rspWcDXH4xU38PYuHSnzvQ/+:ijbHV2ZspbDXYxq8wuMzvV

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0\StubPath = "C:\\Windows\\certproc32.exe"	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0	certproc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\Legacy VGA Drivers V1.0\StubPath = "C:\\Windows\\certproc32.exe"	certproc32.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	certproc32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Legacy VGA Drivers V1.0 = "C:\\Windows\\certproc32.exe"	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Legacy VGA Drivers V1.0 = "C:\\Windows\\certproc32.exe"	certproc32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\jtcres32.dll	certproc32.exe
File created	C:\Windows\mapisrv32.dll	certproc32.exe
File created	C:\Windows\certproc32.exe	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certproc32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2268	certproc32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2268	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2268	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2268	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2268	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	30
PID 2024 wrote to memory of 2768	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2768	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2768	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	31
PID 2024 wrote to memory of 2768	2024	a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe	31
PID 2268 wrote to memory of 1220	2268	certproc32.exe	21
PID 2268 wrote to memory of 764	2268	certproc32.exe	33
PID 2268 wrote to memory of 764	2268	certproc32.exe	33
PID 2268 wrote to memory of 764	2268	certproc32.exe	33
PID 2268 wrote to memory of 764	2268	certproc32.exe	33
PID 2268 wrote to memory of 764	2268	certproc32.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a14124a3f85e4b827de7fc26f3f8a486_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\certproc32.exe
    "C:\Windows\certproc32.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A14124~1.EXE>> NUL
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\certproc32.exe

Filesize
236KB

MD5
a14124a3f85e4b827de7fc26f3f8a486

SHA1
297681b8de6ba22ddadae836772f41126565dc77

SHA256
1f3f62f463864cf4ed2d35f3d2b2d3ed1cf6a38c206bf19b5f3227496a4eb19f

SHA512
c4eff1395ff4321a09791f8581f0e86f2d72ce968a3da779ab9ce94f70b2e0ab830d340a10993fa0d3e241326269f021f78223e8ce4e5cd81d88b735b7ebdebd

Download Submit
memory/1220-22-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2024-11-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2024-3-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2024-4-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/2024-12-0x0000000001EA0000-0x0000000001EE7000-memory.dmp

Filesize
284KB

Download
memory/2024-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2024-1-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/2024-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2268-18-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2268-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2268-19-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2268-25-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2268-27-0x0000000013100000-0x0000000013147000-memory.dmp

Filesize
284KB

Download
memory/2268-32-0x0000000013100000-0x0000000013147000-memory.dmp

Filesize
284KB

Download
memory/2268-29-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads