fe445373b3165ec2b6728ce8e95c72f77f80b786084e9bce2c00567e2967ded1

General

Target

c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Size

86KB
MD5

c7d591d67eaef372ed375a0aaf2a0c76
SHA1

d696553d1d8f1f800765958a2e9dec682d21a76c
SHA256

fe445373b3165ec2b6728ce8e95c72f77f80b786084e9bce2c00567e2967ded1
SHA512

060a03999123e3dccdd63476b750235be9a7d02cf690c041eed51789af45ecddac756b92b407530854e73d803baef26ecabf5adb45c19242da021853ad239a48
SSDEEP

1536:khJAP49cOw7Wi7TjGzyu/V5OCD/QL5P060axISYzC6wuEa:khOP4ecOjGzym1p60axTYzm6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Notification Packages = 3200690034003200780070002e0064006c006c00000073006300650063006c00690000000000	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\2i42xp.dll	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\2i42xp.dll	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1124	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	19
PID 2152 wrote to memory of 1124	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	19
PID 2152 wrote to memory of 1176	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	20
PID 2152 wrote to memory of 1176	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	20
PID 2152 wrote to memory of 1236	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	21
PID 2152 wrote to memory of 1236	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	21
PID 2152 wrote to memory of 308	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	23
PID 2152 wrote to memory of 308	2152	c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe	23

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c7d591d67eaef372ed375a0aaf2a0c76_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Boot or Logon Autostart Execution: Authentication Package
  - Drops file in System32 directory
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Authentication Package

1

T1547.002

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Authentication Package

1

T1547.002

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sB52C.tmp

Filesize
72KB

MD5
007f14c48a9898acc4331d3479f74ad3

SHA1
d13f6f259e0e723d7e442b82597d732de47f0191

SHA256
6e090a77f1c29aecdcd49657efb8db9084d5a879a5b6f851f6f949ed2908d1c1

SHA512
4045cb89723c1faf3d0a273cadf7327953cef16406abb27b47c6ef06e995ea4f3f9d8458cc6ac2499d9cbfeb9142b64c1e8631954f8884c2586fe88eaa241002

Download Submit
memory/1124-10-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1124-9-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2152-0-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download
memory/2152-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads