055c6ad96af409328ebe9a4e8ff7189e3a986508d32a2950223d6a1bc4afe98b

General

Target

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Size

145KB
MD5

d672b3a0263bddfa358dd126702b5bf9
SHA1

8eb2e79eb7dd7370ddb4a3c46fe85c39cf5f8937
SHA256

055c6ad96af409328ebe9a4e8ff7189e3a986508d32a2950223d6a1bc4afe98b
SHA512

82b1b9d54a9383b6e829d51e278f765d9489a426d98095cff821e2e9a57bb54079aed4aec830be87aa6f18f35aee41737967b389c0b08cce84ed2c71d14fe0cb
SSDEEP

3072:knN5HYBvjr5SM/yv7VDVKMOQg5H1i8fZ5Ys+iyXFm+GqVphIw:kNC5P5SwQDVKM0H1i8fZ5YxXFm+T

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

Exporer32.exeExplorer.exe

pid process

576 Exporer32.exe
1272 Explorer.exe
Loads dropped DLL 2 IoCs

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

pid process

1672 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
1672 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

pid	process
576	Exporer32.exe
1272	Explorer.exe

pid	process
1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Exporer32.exe	upx
behavioral1/memory/576-28-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/576-36-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

Exporer32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\msjwtk.com Exporer32.exe
File created C:\Windows\SysWOW64\msjwtk.com Exporer32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msjwtk.com	Exporer32.exe
File created	C:\Windows\SysWOW64\msjwtk.com	Exporer32.exe

Drops file in Windows directory 5 IoCs

Processes:

Exporer32.exed672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\msagent\msoepr.com	Exporer32.exe
File opened for modification	C:\Windows\PCGWIN32.LI5	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
File opened for modification	C:\Windows\Explorer.exe	Exporer32.exe
File created	C:\Windows\Explorer.exe	Exporer32.exe
File opened for modification	C:\Windows\msagent\msoepr.com	Exporer32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Exporer32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Exporer32.exe

Modifies registry class 6 IoCs

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}\ = bd54669eacec476e50b798711eb423f062079bce1d37e43e5cc799d1a4e382050d70f4c78d91ab902a20abb78a81cca02b5aca9b13e55230eafb4c02680b6e32c8fd6c040b2d0a086b8b8a326d03a87acbbd354480cd5eebd895e4e091fcdf44d991a068d68daf88096c8cb5c8b34a8aca14eca38bddeda4d7109e6de6e8d0945e6da76891a9a8e80e0889ad8b97caaeca28ac93cbe5ad8008108da188f38cb204049e73d9c2a76c4e3557009e5be75d2124a8434c02098b4c0a0b75ea00f2d9c2a05cdce4e69dbfa739ce7828c5f54f73168ae1ad9397922ee2a9d49062e8e231fcccfa6a05524025ad602b6432ee7d484717e11e30a73711fe5406dd11a7dc5ee6673fbe863971fc00b91bfb9aba257c00444f6c56b71f01a6c02e4429a35072a1bb7ffa8644ee03483aee83f65ac0e57edfb99983dcb29a7c5bb962c7631e9ad91d1c181b5f1aa6e551dfe8d91463eda20b8a4a8b8b154aaccd962bd10a1335e2bc62068531ac44884c57f45e0fa7161ee1d9d3a0ede877f0ce8fe8298cb4f5c0ff4c793580ccb1894febb6f5cebc68060d8f14c9536faae933ef0ae9554bac9269a2a8bdcd074bce2aa815c9a0eb0d6d2888536da2941be1da17a3ee8508ec2d34f48dfe6b39d540effce987107195049c31e4742d41a830b543b3620ad5b363fa52825d7be442508b6dd2486ad7d3619d68640b13b25232130bd20aa293e525af6c36eb418d0c54896ff47640bf1bc61a2065277d1ba9ef29cc13159322aca66cde99b77f2257172e61642c558a7a98b36ed92eaf633c772186d87c9f9ea5b21216ebdf6d26b4118de48bc272f4bb4082f7baf143c7aa71b3c48dee74887d117868fb1545d030e8c9ec9768aeaf0889efa88950cca594af135662affaf6bb0085c32c75ab8cd27764be11b920bf810654bfe1c637ae3e09c74c3ef6398fc469ce57f69e3e2687ef4149eb54f56d8cb40a314d30144fd376edf10b3f72c6f53eb339b23c04bbe37da5388c3b347ab17b8ffa963a103d9338e5bb80454000684b4a32f4fb4cc576200fad565460d319dd60e7486111ec6cf64ab035fd4cc776a13f28464b31f5f84fc0492f77768efe0887d361552c5c0927744e715708ee9756d1116beccd8ab49340d5231c1ae55d006419fde447e22e1ae99baba5eab0ec3a56c5d1739f7a663d1f8426c06f52961d5018e4a7ce5197ebd10aa8f54c3074394cc4e8c035dcf0267e5f87e6918e586959346043873adebb26c5ef43492a50f3618afcd278dc47581ea75981589cdd2427e12e4309b294732cf237323e05b9ec7f2bf912fb2dfd8804737dc2842a402b8132d3b5120f9316522fe5960f5e16e6df31d908db175daea4699ecc992867cf8e69b6a88fa9096f8cb6d6b0504fe6b6b18187a30e729745ae9cf61bc0e250bdeac7adbeab38cabf2ab98dbcb778fe7c388581cf6716d19f24a611fed407eeae0857891e7359f524cfb3b6cdf06bccf5748c8fa889cd882b54ea9d74e7bd718404a22173b4b20eb529736c8297ac5155e3903ae9fd0b389279a2bcad446bee55e8a095fedf46d911a4ecd2d6eceeb5290fa8966ba0cabfec3996c4d170df7f5906a071870091a5103fd506535fa2a6ac4e6be852d66beeb2480bca32ec0dd4d423e0baf28544bf834695a16cb0b54ef0487c52fbadc5eb8375dac3e4ed70a88df274c48fbd96075e4e58f7a771013438f17b8782ee3488fd0dbb74ba0dc2c8f2954ce3abcd554befb2c98cebb52a0f8b964aaecd892b73eab212fc5539e08076ad41cb04327db53840bd07070e4e49e97773f13a4bc34d8d4bb48a3e2ab9cbbbad82d472927a5b7a22c26b42327cfd46fba105ef4049dff759be24462f6e76a97e37f8fe3b8602dfd599d320e5af53d6a2aeab694d089415d05c62992b63cab293cad50dacb40a7f6b06d25f9226addfebd9f5e77331ba787cb98504dfc1597fe3798a4772c17c6f46168f11295028953360c2a33cca476a8e157720fe5dc667ae2e17b76ecec87691cfafe9f68f3e16875171d3385d455b4f22c98d6b342a3d2b386abf8b060a3fcb064db1b47840f99fc7d9a163fcf5b8b00346a23fed464b6032fcfb78c540c3294d50c86af4f4f23d0cc4976061a3084d6ba855d0df58592163e855b1e3bf45063cef05697c88bbb07a87bb11baa0bc8605dfdcd966a3600a52b5e2b0138ad22b23b2728385ad4368f597cfaeb6483e48878ba10d8014621174987e62f8cc42ea3bf4c240dcfee6b91f8766dedee6999ea7e7fed1f89b40e2d39add65db4c25579c9e6627f0ce03a93acf3b96c26ec40923347281f20b74327e7b4645c020297fc80676ff81f9bffb863a30bd8584ffc279fac344fdfcb8b9007fa306cd6f4b6932d3fd658410a21713aed2365201952c6fcbc9f5d7cf9e291888998c9bb5da03da8a5a94dda39b6d5aa865d46c60b53bfc3a3a45fdac472bbed27962805acb5a15e4dc2f6616b1e1b417be1e47e75ef1a70cfe8b4652d1edebebb5f5f00ffa76babf034652bfeac6ab1eb5d9fc5b3aa2c36315aa6cad8b4b0a8a33cc3209cdec08741142d84424c20f25363ccfc5c9c313ed5a6be3f25dfa64826d1be8626a0d55e820d079d40062b9e203e21ae2255490915c5319dd64e770ae0fc8b6c80f89160f1176d001e8dccca6379f8ed977db0ea277243e5db9d8c75c8e25080049832c3af77b81c5cc5fea26b4cf03e95acb2355faefc4c91fb4660ece49a9f4577c5105a8ec0e94d79161db6422539de29812a2d323258a7ccbb95540e0ffd8f9a4c3c1158b502aa39552ace3b4253f10c6e19ffbd93aa4455ee366aa5eb4d8fd1b0722dec526c32f05369cf166f32f3d76b87e42c6ca4e1568102b196a982d27d45ee2e62b7eb2787d7a388547e34e7dd7381107e4ae4c68a9f474cccfb7293108b02b84aa8d6c37f6fe3f7806bd1fb8e67e0f46169fdf19d9e4df8019af5809d9945f9e26e731c17c77b9be0747deee5808a5d56c6feb9635510cd00926b0e17427330e32094388a21245238c7af77c3105bc40784407ec0e35573c6ec717d19e17189e5b98daa15c0b65d24c6ad793619a74a2717dc4b83e87c741614b6c5557a09e38d9fd1f87a68e5ec8d8f4e6429f9bd99d9ca418625da524b3af72297514706181b8ec782ac0f5e60fa136033172b4330cb217f21e44992d67f4f1fc08fa337a0afa95fa20bd1fc766e15198ece074e843977ae1bbbcc27a6405cf30a97968bc117b24ba91bd2087411ed7a7aefeb646f131cff869c6d0de9e66999fe766d1dfacd9149f9326e58153d8e5a4e33db28404a371e534108f97295e6827f75eb15988d8365eb127cfee49f610f01f46a6a15084218c2029738c82b73381f230838bf5aa80d244131d9a585d1924a473cd42970b6eaa29d268951163902218631f022693bfd2395404d371a5bc60386103401ad5a35f6d66d7012ebcd7c6517eacf894bdaf8749ee6f36b6bf3079f338bd45f853c0dd6e67973e9e07586e5cb7993e1b07da2e5ab79b0e9a175a1e5ca7a56e13f7eaf154fb5105585c99a7207ed1b96fc0496e73d78ad132d73d5144a09f8b594d9cb49ab05b819a1fdba65da024dfd3d9dd63dbaa6575dccca634af0de9e8ef17492e88178a9e	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "2279425728"	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}\ = 4676ef0dacec476e50b798711eb423f062079bcedd7139b95cc799d1a4e382050d70f4c78d91ab902a20abb78a81cca02b5aca9b13e55230eafb4c02680b6e32c8fd6c040b2d0a086b8b8a326d03a87acbbd354480cd5eebd895e4e091fcdf44d991a068d68daf88096c8cb5c8b34a8aca14eca38bddeda4d7109e6de6e8d0945e6da76891a9a8e80e0889ad8b97caaeca28ac93cbe5ad8008108da188f38cb204049e73d9c2a76c4e3557009e5be75d2124a8434c02098b4c0a0b75ea00f2d9c2a05cdce4e69dbfa739ce7828c5f54f73168ae1ad9397922ee2a9d49062e8e231fcccfa6a05524025ad602b6432ee7d484717e11e30a73711fe5406dd11a7dc5ee6673fbe863971fc00b91bfb9aba257c00444f6c56b71f01a6c02e4429a35072a1bb7ffa8644ee03483aee83f65ac0e57edfb99983dcb29a7c5bb962c7631e9ad91d1c181b5f1aa6e551dfe8d91463eda20b8a4a8b8b154aaccd962bd10a1335e2bc62068531ac44884c57f45e0fa7161ee1d9d3a0ede877f0ce8fe8298cb4f5c0ff4c793580ccb1894febb6f5cebc68060d8f14c9536faae933ef0ae9554bac9269a2a8bdcd074bce2aa815c9a0eb0d6d2888536da2941be1da17a3ee8508ec2d34f48dfe6b39d540effce987107195049c31e4742d41a830b543b3620ad5b363fa52825d7be442508b6dd2486ad7d3619d68640b13b25232130bd20aa293e525af6c36eb418d0c54896ff47640bf1bc61a2065277d1ba9ef29cc13159322aca66cde99b77f2257172e61642c558a7a98b36ed92eaf633c772186d87c9f9ea5b21216ebdf6d26b4118de48bc272f4bb4082f7baf143c7aa71b3c48dee74887d117868fb1545d030e8c9ec9768aeaf0889efa88950cca594af135662affaf6bb0085c32c75ab8cd27764be11b920bf810654bfe1c637ae3e09c74c3ef6398fc469ce57f69e3e2687ef4149eb54f56d8cb40a314d30144fd376edf10b3f72c6f53eb339b23c04bbe37da5388c3b347ab17b8ffa963a103d9338e5bb80454000684b4a32f4fb4cc576200fad565460d319dd60e7486111ec6cf64ab035fd4cc776a13f28464b31f5f84fc0492f77768efe0887d361552c5c0927744e715708ee9756d1116beccd8ab49340d5231c1ae55d006419fde447e22e1ae99baba5eab0ec3a56c5d1739f7a663d1f8426c06f52961d5018e4a7ce5197ebd10aa8f54c3074394cc4e8c035dcf0267e5f87e6918e586959346043873adebb26c5ef43492a50f3618afcd278dc47581ea75981589cdd2427e12e4309b294732cf237323e05b9ec7f2bf912fb2dfd8804737dc2842a402b8132d3b5120f9316522fe5960f5e16e6df31d908db175daea4699ecc992867cf8e69b6a88fa9096f8cb6d6b0504fe6b6b18187a30e729745ae9cf61bc0e250bdeac7adbeab38cabf2ab98dbcb778fe7c388581cf6716d19f24a611fed407eeae0857891e7359f524cfb3b6cdf06bccf5748c8fa889cd882b54ea9d74e7bd718404a22173b4b20eb529736c8297ac5155e3903ae9fd0b389279a2bcad446bee55e8a095fedf46d911a4ecd2d6eceeb5290fa8966ba0cabfec3996c4d170df7f5906a071870091a5103fd506535fa2a6ac4e6be852d66beeb2480bca32ec0dd4d423e0baf28544bf834695a16cb0b54ef0487c52fbadc5eb8375dac3e4ed70a88df274c48fbd96075e4e58f7a771013438f17b8782ee3488fd0dbb74ba0dc2c8f2954ce3abcd554befb2c98cebb52a0f8b964aaecd892b73eab212fc5539e08076ad41cb04327db53840bd07070e4e49e97773f13a4bc34d8d4bb48a3e2ab9cbbbad82d472927a5b7a22c26b42327cfd46fba105ef4049dff759be24462f6e76a97e37f8fe3b8602dfd599d320e5af53d6a2aeab694d089415d05c62992b63cab293cad50dacb40a7f6b06d25f9226addfebd9f5e77331ba787cb98504dfc1597fe3798a4772c17c6f46168f11295028953360c2a33cca476a8e157720fe5dc667ae2e17b76ecec87691cfafe9f68f3e16875171d3385d455b4f22c98d6b342a3d2b386abf8b060a3fcb064db1b47840f99fc7d9a163fcf5b8b00346a23fed464b6032fcfb78c540c3294d50c86af4f4f23d0cc4976061a3084d6ba855d0df58592163e855b1e3bf45063cef05697c88bbb07a87bb11baa0bc8605dfdcd966a3600a52b5e2b0138ad22b23b2728385ad4368f597cfaeb6483e48878ba10d8014621174987e62f8cc42ea3bf4c240dcfee6b91f8766dedee6999ea7e7fed1f89b40e2d39add65db4c25579c9e6627f0ce03a93acf3b96c26ec40923347281f20b74327e7b4645c020297fc80676ff81f9bffb863a30bd8584ffc279fac344fdfcb8b9007fa306cd6f4b6932d3fd658410a21713aed2365201952c6fcbc9f5d7cf9e291888998c9bb5da03da8a5a94dda39b6d5aa865d46c60b53bfc3a3a45fdac472bbed27962805acb5a15e4dc2f6616b1e1b417be1e47e75ef1a70cfe8b4652d1edebebb5f5f00ffa76babf034652bfeac6ab1eb5d9fc5b3aa2c36315aa6cad8b4b0a8a33cc3209cdec08741142d84424c20f25363ccfc5c9c313ed5a6be3f25dfa64826d1be8626a0d55e820d079d40062b9e203e21ae2255490915c5319dd64e770ae0fc8b6c80f89160f1176d001e8dccca6379f8ed977db0ea277243e5db9d8c75c8e25080049832c3af77b81c5cc5fea26b4cf03e95acb2355faefc4c91fb4660ece49a9f4577c5105a8ec0e94d79161db6422539de29812a2d323258a7ccbb95540e0ffd8f9a4c3c1158b502aa39552ace3b4253f10c6e19ffbd93aa4455ee366aa5eb4d8fd1b0722dec526c32f05369cf166f32f3d76b87e42c6ca4e1568102b196a982d27d45ee2e62b7eb2787d7a388547e34e7dd7381107e4ae4c68a9f474cccfb7293108b02b84aa8d6c37f6fe3f7806bd1fb8e67e0f46169fdf19d9e4df8019af5809d9945f9e26e731c17c77b9be0747deee5808a5d56c6feb9635510cd00926b0e17427330e32094388a21245238c7af77c3105bc40784407ec0e35573c6ec717d19e17189e5b98daa15c0b65d24c6ad793619a74a2717dc4b83e87c741614b6c5557a09e38d9fd1f87a68e5ec8d8f4e6429f9bd99d9ca418625da524b3af72297514706181b8ec782ac0f5e60fa136033172b4330cb217f21e44992d67f4f1fc08fa337a0afa95fa20bd1fc766e15198ece074e843977ae1bbbcc27a6405cf30a97968bc117b24ba91bd2087411ed7a7aefeb646f131cff869c6d0de9e66999fe766d1dfacd9149f9326e58153d8e5a4e33db28404a371e534108f97295e6827f75eb15988d8365eb127cfee49f610f01f46a6a15084218c2029738c82b73381f230838bf5aa80d244131d9a585d1924a473cd42970b6eaa29d268951163902218631f022693bfd2395404d371a5bc60386103401ad5a35f6d66d7012ebcd7c6517eacf894bdaf8749ee6f36b6bf3079f338bd45f853c0dd6e67973e9e07586e5cb7993e1b07da2e5ab79b0e9a175a1e5ca7a56e13f7eaf154fb5105585c99a7207ed1b96fc0496e73d78ad132d73d5144a09f8b594d9cb49ab05b819a1fdba65da024dfd3d9dd63dbaa6575dccca634af0de9e8ef17492e88178a9e	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\{F5C8E816-ED946921-EF56718E-8A012477}\ = 35d57b71acec476e50b798711eb423f062079bce1d37e43e5cc799d1a4e382050d70f4c78d91ab902a20abb78a81cca02b5aca9b13e55230eafb4c02680b6e32c8fd6c040b2d0a086b8b8a326d03a87acbbd354480cd5eebd895e4e091fcdf44d991a068d68daf88096c8cb5c8b34a8aca14eca38bddeda4d7109e6de6e8d0945e6da76891a9a8e80e0889ad8b97caaeca28ac93cbe5ad8008108da1ac11702403049e73d9c2a76c4e3557009e5be75d2124a8434c02098b4c0a0b75ea00f2d9c2a05cdce4e69dbfa739ce7828c5f54f73168ae1ad9397922ee2a9d49062e8e231fcccfa6a05524025ad602b6432ee7d484717e11e30a73711fe5406dd11a7dc5ee6673fbe863971fc00b91bfb9aba257c00444f6c56b71f01a6c02e4429a35072a1bb7ffa8644ee03483aee83f65ac0e57edfb99983dcb29a7c5bb962c7631e9ad91d1c181b5f1aa6e551dfe8d91463eda20b8a4a8b8b154aaccd962bd10a1335e2bc62068531ac44884c57f45e0fa7161ee1d9d3a0ede877f0ce8fe8298cb4f5c0ff4c793580ccb1894febb6f5cebc68060d8f14c9536faae933ef0ae9554bac9269a2a8bdcd074bce2aa815c9a0eb0d6d2888536da2941be1da17a3ee8508ec2d34f48dfe6b39d540effce987107195049c31e4742d41a830b543b3620ad5b363fa52825d7be442508b6dd2486ad7d3619d68640b13b25232130bd20aa293e525af6c36eb418d0c54896ff47640bf1bc61a2065277d1ba9ef29cc13159322aca66cde99b77f2257172e61642c558a7a98b36ed92eaf633c772186d87c9f9ea5b21216ebdf6d26b4118de48bc272f4bb4082f7baf143c7aa71b3c48dee74887d117868fb1545d030e8c9ec9768aeaf0889efa88950cca594af135662affaf6bb0085c32c75ab8cd27764be11b920bf810654bfe1c637ae3e09c74c3ef6398fc469ce57f69e3e2687ef4149eb54f56d8cb40a314d30144fd376edf10b3f72c6f53eb339b23c04bbe37da5388c3b347ab17b8ffa963a103d9338e5bb80454000684b4a32f4fb4cc576200fad565460d319dd60e7486111ec6cf64ab035fd4cc776a13f28464b31f5f84fc0492f77768efe0887d361552c5c0927744e715708ee9756d1116beccd8ab49340d5231c1ae55d006419fde447e22e1ae99baba5eab0ec3a56c5d1739f7a663d1f8426c06f52961d5018e4a7ce5197ebd10aa8f54c3074394cc4e8c035dcf0267e5f87e6918e586959346043873adebb26c5ef43492a50f3618afcd278dc47581ea75981589cdd2427e12e4309b294732cf237323e05b9ec7f2bf912fb2dfd8804737dc2842a402b8132d3b5120f9316522fe5960f5e16e6df31d908db175daea4699ecc992867cf8e69b6a88fa9096f8cb6d6b0504fe6b6b18187a30e729745ae9cf61bc0e250bdeac7adbeab38cabf2ab98dbcb778fe7c388581cf6716d19f24a611fed407eeae0857891e7359f524cfb3b6cdf06bccf5748c8fa889cd882b54ea9d74e7bd718404a22173b4b20eb529736c8297ac5155e3903ae9fd0b389279a2bcad446bee55e8a095fedf46d911a4ecd2d6eceeb5290fa8966ba0cabfec3996c4d170df7f5906a071870091a5103fd506535fa2a6ac4e6be852d66beeb2480bca32ec0dd4d423e0baf28544bf834695a16cb0b54ef0487c52fbadc5eb8375dac3e4ed70a88df274c48fbd96075e4e58f7a771013438f17b8782ee3488fd0dbb74ba0dc2c8f2954ce3abcd554befb2c98cebb52a0f8b964aaecd892b73eab212fc5539e08076ad41cb04327db53840bd07070e4e49e97773f13a4bc34d8d4bb48a3e2ab9cbbbad82d472927a5b7a22c26b42327cfd46fba105ef4049dff759be24462f6e76a97e37f8fe3b8602dfd599d320e5af53d6a2aeab694d089415d05c62992b63cab293cad50dacb40a7f6b06d25f9226addfebd9f5e77331ba787cb98504dfc1597fe3798a4772c17c6f46168f11295028953360c2a33cca476a8e157720fe5dc667ae2e17b76ecec87691cfafe9f68f3e16875171d3385d455b4f22c98d6b342a3d2b386abf8b060a3fcb064db1b47840f99fc7d9a163fcf5b8b00346a23fed464b6032fcfb78c540c3294d50c86af4f4f23d0cc4976061a3084d6ba855d0df58592163e855b1e3bf45063cef05697c88bbb07a87bb11baa0bc8605dfdcd966a3600a52b5e2b0138ad22b23b2728385ad4368f597cfaeb6483e48878ba10d8014621174987e62f8cc42ea3bf4c240dcfee6b91f8766dedee6999ea7e7fed1f89b40e2d39add65db4c25579c9e6627f0ce03a93acf3b96c26ec40923347281f20b74327e7b4645c020297fc80676ff81f9bffb863a30bd8584ffc279fac344fdfcb8b9007fa306cd6f4b6932d3fd658410a21713aed2365201952c6fcbc9f5d7cf9e291888998c9bb5da03da8a5a94dda39b6d5aa865d46c60b53bfc3a3a45fdac472bbed27962805acb5a15e4dc2f6616b1e1b417be1e47e75ef1a70cfe8b4652d1edebebb5f5f00ffa76babf034652bfeac6ab1eb5d9fc5b3aa2c36315aa6cad8b4b0a8a33cc3209cdec08741142d84424c20f25363ccfc5c9c313ed5a6be3f25dfa64826d1be8626a0d55e820d079d40062b9e203e21ae2255490915c5319dd64e770ae0fc8b6c80f89160f1176d001e8dccca6379f8ed977db0ea277243e5db9d8c75c8e25080049832c3af77b81c5cc5fea26b4cf03e95acb2355faefc4c91fb4660ece49a9f4577c5105a8ec0e94d79161db6422539de29812a2d323258a7ccbb95540e0ffd8f9a4c3c1158b502aa39552ace3b4253f10c6e19ffbd93aa4455ee366aa5eb4d8fd1b0722dec526c32f05369cf166f32f3d76b87e42c6ca4e1568102b196a982d27d45ee2e62b7eb2787d7a388547e34e7dd7381107e4ae4c68a9f474cccfb7293108b02b84aa8d6c37f6fe3f7806bd1fb8e67e0f46169fdf19d9e4df8019af5809d9945f9e26e731c17c77b9be0747deee5808a5d56c6feb9635510cd00926b0e17427330e32094388a21245238c7af77c3105bc40784407ec0e35573c6ec717d19e17189e5b98daa15c0b65d24c6ad793619a74a2717dc4b83e87c741614b6c5557a09e38d9fd1f87a68e5ec8d8f4e6429f9bd99d9ca418625da524b3af72297514706181b8ec782ac0f5e60fa136033172b4330cb217f21e44992d67f4f1fc08fa337a0afa95fa20bd1fc766e15198ece074e843977ae1bbbcc27a6405cf30a97968bc117b24ba91bd2087411ed7a7aefeb646f131cff869c6d0de9e66999fe766d1dfacd9149f9326e58153d8e5a4e33db28404a371e534108f97295e6827f75eb15988d8365eb127cfee49f610f01f46a6a15084218c2029738c82b73381f230838bf5aa80d244131d9a585d1924a473cd42970b6eaa29d268951163902218631f022693bfd2395404d371a5bc60386103401ad5a35f6d66d7012ebcd7c6517eacf894bdaf8749ee6f36b6bf3079f338bd45f853c0dd6e67973e9e07586e5cb7993e1b07da2e5ab79b0e9a175a1e5ca7a56e13f7eaf154fb5105585c99a7207ed1b96fc0496e73d78ad132d73d5144a09f8b594d9cb49ab05b819a1fdba65da024dfd3d9dd63dbaa6575dccca634af0de9e8ef17492e88178a9e	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Exporer32.exe

pid process

576 Exporer32.exe

pid	process
576	Exporer32.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

Exporer32.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	576	Exporer32.exe
Token: SeSecurityPrivilege	576	Exporer32.exe
Token: SeTakeOwnershipPrivilege	576	Exporer32.exe
Token: SeLoadDriverPrivilege	576	Exporer32.exe
Token: SeSystemProfilePrivilege	576	Exporer32.exe
Token: SeSystemtimePrivilege	576	Exporer32.exe
Token: SeProfSingleProcessPrivilege	576	Exporer32.exe
Token: SeIncBasePriorityPrivilege	576	Exporer32.exe
Token: SeCreatePagefilePrivilege	576	Exporer32.exe
Token: SeBackupPrivilege	576	Exporer32.exe
Token: SeRestorePrivilege	576	Exporer32.exe
Token: SeShutdownPrivilege	576	Exporer32.exe
Token: SeDebugPrivilege	576	Exporer32.exe
Token: SeSystemEnvironmentPrivilege	576	Exporer32.exe
Token: SeRemoteShutdownPrivilege	576	Exporer32.exe
Token: SeUndockPrivilege	576	Exporer32.exe
Token: SeManageVolumePrivilege	576	Exporer32.exe
Token: 33	576	Exporer32.exe
Token: 34	576	Exporer32.exe
Token: 35	576	Exporer32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

pid process

1672 d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

pid	process
1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exeExporer32.exe

description	pid	process	target process
PID 1672 wrote to memory of 576	1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe	Exporer32.exe
PID 1672 wrote to memory of 576	1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe	Exporer32.exe
PID 1672 wrote to memory of 576	1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe	Exporer32.exe
PID 1672 wrote to memory of 576	1672	d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe	Exporer32.exe
PID 576 wrote to memory of 1272	576	Exporer32.exe	Explorer.exe
PID 576 wrote to memory of 1272	576	Exporer32.exe	Explorer.exe
PID 576 wrote to memory of 1272	576	Exporer32.exe	Explorer.exe
PID 576 wrote to memory of 1272	576	Exporer32.exe	Explorer.exe
PID 576 wrote to memory of 616	576	Exporer32.exe	cmd.exe
PID 576 wrote to memory of 616	576	Exporer32.exe	cmd.exe
PID 576 wrote to memory of 616	576	Exporer32.exe	cmd.exe
PID 576 wrote to memory of 616	576	Exporer32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d672b3a0263bddfa358dd126702b5bf9_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
"C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
3⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PCGWIN32.LI5

Filesize
2KB

MD5
6cf7bf1fbdb96c9b19a50a57cfbe73fc

SHA1
b0e0b3873c4865ac6935790e5d083ebcbc77ae9c

SHA256
2d5832a4ecba11963629a76b19f1be2965df6ca84ba1a85c152c5e671995077e

SHA512
b97da7f8f6703c452e162da78e33f323057d5e28a5e9a2cb4921d72f63c49e6a1bdd8259a47bc25441cba259e0038af9ad8980c7b0ab7de51c6c71c8e5ea63c7

Download Submit
C:\Windows\explorer.exe

Filesize
2.7MB

MD5
ac4c51eb24aa95b77f705ab159189e24

SHA1
4583daf9442880204730fb2c8a060430640494b1

SHA256
6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a

SHA512
011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81

Download Submit
\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
33KB

MD5
7e379619ddab7417a5b3a8a73b2c1177

SHA1
5a3977aff043e26f75ae369e8aaa3f9fd3b5c450

SHA256
a02d3199707b973a3ebaa57b957ef9ea605a1998b844ede23289cd39a28a28a1

SHA512
518db5b4bbaddc942110819b7a23145355b00c73fd02be2e4767835f35eada059e3aabe1565491b1efc5130344f6ddfd509f8719c3d824c27a0caad854d4bfe2

Download Submit
memory/576-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/576-36-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1672-11-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1672-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1672-23-0x0000000000500000-0x000000000051D000-memory.dmp

Filesize
116KB

Download
memory/1672-27-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/1672-26-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1672-22-0x0000000000500000-0x000000000051D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads