f9c4211462aaad9ae8bb81c9a0e3fe4651b0a564f46f9d6992867869c6473bb8

General

Target

c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Size

2.1MB
MD5

c857761fd4e33cfe8ab9b33055ec1d15
SHA1

f7df1e9b4a9c23861bc65194af7a80170c177a65
SHA256

f9c4211462aaad9ae8bb81c9a0e3fe4651b0a564f46f9d6992867869c6473bb8
SHA512

fa53e6892754ee3ec434939bb7da64e6d2ca2b6bc3aed8cae356e1fa3bcad12a9842d6dab6a2148c4f0c776dc795af68dd902b37b211f7df35f97a5411169719
SSDEEP

49152:0frqx1trn6CHADcsaaYIIugQ5OUUJC6p5vRCdmP9u:0zI/6CHfsvYFQIUICMFRCdq9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	svchosts.exe

Loads dropped DLL 4 IoCs

pid	Process
2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
3044	svchosts.exe
3044	svchosts.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\WINDOWS\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosts = "C:\\Windows\\WINDOWS\\svchosts.exe"	svchosts.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WINDOWS\svchosts.exe	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
File created	C:\Windows\WINDOWS\svchosts.exe	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
File opened for modification	C:\Windows\WINDOWS\svchosts.sys	svchosts.exe
File created	C:\Windows\WINDOWS\svchosts.sys	svchosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command\ = "rundll32.exe"	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
3044	svchosts.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
Token: SeDebugPrivilege	3044	svchosts.exe
Token: SeDebugPrivilege	3044	svchosts.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3044	2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe	30
PID 2152 wrote to memory of 3044	2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe	30
PID 2152 wrote to memory of 3044	2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe	30
PID 2152 wrote to memory of 3044	2152	c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2696	3044	svchosts.exe	31
PID 3044 wrote to memory of 2696	3044	svchosts.exe	31
PID 3044 wrote to memory of 2696	3044	svchosts.exe	31
PID 3044 wrote to memory of 2696	3044	svchosts.exe	31
PID 3044 wrote to memory of 2696	3044	svchosts.exe	31
PID 3044 wrote to memory of 2696	3044	svchosts.exe	31

C:\Users\Admin\AppData\Local\Temp\c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c857761fd4e33cfe8ab9b33055ec1d15_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\WINDOWS\svchosts.exe
  C:\Windows\WINDOWS\svchosts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\WINDOWS\svchosts.exe

Filesize
2.1MB

MD5
c857761fd4e33cfe8ab9b33055ec1d15

SHA1
f7df1e9b4a9c23861bc65194af7a80170c177a65

SHA256
f9c4211462aaad9ae8bb81c9a0e3fe4651b0a564f46f9d6992867869c6473bb8

SHA512
fa53e6892754ee3ec434939bb7da64e6d2ca2b6bc3aed8cae356e1fa3bcad12a9842d6dab6a2148c4f0c776dc795af68dd902b37b211f7df35f97a5411169719

Download Submit
\Windows\WINDOWS\svchosts.sys

Filesize
218KB

MD5
664ab9057066adf94fdf05034d4e6096

SHA1
a07890f6eef7b1aaa24519346bd13647eea3353c

SHA256
99c624049c82c5073883d19c83e745105b50c29068c0daa6c04a98a708700c1d

SHA512
ba1febf0de0003827e03895be103953f73877db678472ceda1bfdbed3fa6395f516ee52a93bc3aca197992fe7bbf958c3062222c76b02ba4901a6b11af8b970b

Download Submit
memory/2152-22-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/2152-10-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/2152-0-0x0000000013141000-0x0000000013146000-memory.dmp

Filesize
20KB

Download
memory/2152-23-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-29-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-36-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-24-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-26-0x0000000004980000-0x00000000049D6000-memory.dmp

Filesize
344KB

Download
memory/3044-25-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-27-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-18-0x0000000004980000-0x00000000049D6000-memory.dmp

Filesize
344KB

Download
memory/3044-31-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-33-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-20-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-39-0x0000000004980000-0x00000000049D6000-memory.dmp

Filesize
344KB

Download
memory/3044-38-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-40-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-42-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-44-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-46-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-48-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-50-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download
memory/3044-52-0x0000000013140000-0x00000000135BF000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads