c81254472980331bba82bad3ef11030b1d57cce46b393cc532b3cd38d2f82641

General

Target

a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
Size

3KB
MD5

a59b109c6da2b1373b5a49652028c902
SHA1

0942bd563a7bd4ebe8a74de3e3506fb713907ed2
SHA256

c81254472980331bba82bad3ef11030b1d57cce46b393cc532b3cd38d2f82641
SHA512

89962f510fc3b9db086afe2f81b0e82c85df0998dee401d1353d6e4c40474ee6e22b7c9b8b2ceb42a420852e9ac9a3d35bf41896b0dce25c88fe888d43431e26

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\Tasks\\eps.vbs"	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "ÏµÍ³ÉèÖÃ"	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\smss.exe	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\smss.exe	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
File created	C:\Windows\Tasks\eps.vbs	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
1824	a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a59b109c6da2b1373b5a49652028c902_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1824-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads