2e0f1487b90d72827b8fb51fd9cc5e4ee49220c1ca177722f276de63dfc5db6a

General

Target

c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Size

153KB
MD5

c71d6136d7549559ebddf65a48dd6a06
SHA1

d7d3a14231d2b467a515dabf203fcbc39683d689
SHA256

2e0f1487b90d72827b8fb51fd9cc5e4ee49220c1ca177722f276de63dfc5db6a
SHA512

770f4c4c61bb0726f1bfe3ee0249fb248a3899cf553597319c311de0d904d11328bc4d46ee63c6089a08e0efce1d82f798a06e8f2b073fb5441546cbeb2ff22e
SSDEEP

3072:KTLsLsGHC1Tc0JW458ql25l1EN4u8v3nEJ3kCWcLke:KP1GHST/JWw8qI6NInEiCWcL

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1184	Explorer.EXE
476	services.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 2584	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	30

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\@	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
File created	C:\Windows\Installer\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\n	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\clsid	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\\n."	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\\n."	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Token: SeDebugPrivilege	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Token: SeDebugPrivilege	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
Token: SeBackupPrivilege	476	services.exe
Token: SeRestorePrivilege	476	services.exe
Token: SeSecurityPrivilege	476	services.exe
Token: SeTakeOwnershipPrivilege	476	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1184	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	21
PID 2248 wrote to memory of 1184	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	21
PID 2248 wrote to memory of 476	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	6
PID 2248 wrote to memory of 2584	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2584	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2584	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2584	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2584	2248	c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe	30

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1184
- C:\Users\Admin\AppData\Local\Temp\c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c71d6136d7549559ebddf65a48dd6a06_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\n

Filesize
26KB

MD5
fab7de9eafea67f88e43003698024c86

SHA1
24a4ef27c29cdeabed5e0af867e3f568da40d0c9

SHA256
073b1f99871dc56a33dcd55af71d53482816bfc9b3ce5c78ee53bed31b428384

SHA512
b4a57a8cc564760526d4cce26ce24e80657c064df373c307bb90cf053d01d04bdfe1def41fedfeb7715e53d8481a98c94bc6f3bf33815b4571d898aa08553fcd

Download Submit
\systemroot\Installer\{c5b0555c-f9e5-c299-24bf-1a4ff565c69a}\@

Filesize
2KB

MD5
17e152745c5a73bb37d4884b1787f8d8

SHA1
cab0200416951bdb33ca262df2e86a185c94a7d2

SHA256
ff869f10634aa58c5577a391328ec9583b5dc596b1959443bb6f5b33bdc2f306

SHA512
704e6273f02da550cf1d25c958fd3cea86d2b6c43c547b10cf9dbde2c7655f79e08d83be364592c8c490b901a0231a8f94192e066c75f0f15d3c44c67307ec44

Download Submit
memory/476-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/476-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1184-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1184-7-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2248-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing