b97a4516336bcff6b2ca01eeaf223454355e586893be4a9861aaea2b5f093bb3

General

Target

d6ba494116dad5c2cf425727ae1a91c2_JaffaCakes118.dll
Size

152KB
MD5

d6ba494116dad5c2cf425727ae1a91c2
SHA1

19f9076fadb777b1e3e8cda48e671269bcddc88d
SHA256

b97a4516336bcff6b2ca01eeaf223454355e586893be4a9861aaea2b5f093bb3
SHA512

898b8d1408ea6869eae9c1068f7d3e487cbc1387ffab697755a13b323f2e8972610397c7daf28ea6f8c2cbe5d558451d435b39d3bb3ed105698c6e9b1ea67576
SSDEEP

3072:aBFInOSrdX9hlJrtSLgFloqPwLGAiRakc58woC7Hk9U2XhEL:l1JrtSLgFGqoLG3o8woj9U2xu

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2828	rundll32.exe
2828	rundll32.exe
2828	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	rundll32.exe
Token: SeShutdownPrivilege	1232	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 1560 wrote to memory of 2828	1560	rundll32.exe	31
PID 2828 wrote to memory of 1232	2828	rundll32.exe	21
PID 2828 wrote to memory of 2684	2828	rundll32.exe	32
PID 2828 wrote to memory of 2684	2828	rundll32.exe	32
PID 2828 wrote to memory of 2684	2828	rundll32.exe	32
PID 2828 wrote to memory of 2684	2828	rundll32.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1232
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6ba494116dad5c2cf425727ae1a91c2_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6ba494116dad5c2cf425727ae1a91c2_JaffaCakes118.dll,#1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Users\Admin\AppData
      4⤵
      System Location Discovery: System Language Discovery
      PID:2684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-8-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2760-11-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/2828-10-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/2828-7-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2828-6-0x00000000779AF000-0x00000000779B0000-memory.dmp

Filesize
4KB

Download
memory/2828-5-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/2828-3-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/2828-2-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/2828-1-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing