e0f2cc4926ee75d815692de2a970e01b9ccf351987c495a591202cf90a73008f

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
Size

404KB
MD5

db158a450dfce4205588e0b1a68597f2
SHA1

fd08f935988e6f1c4e72fe4c47d3012a374bc2b0
SHA256

e0f2cc4926ee75d815692de2a970e01b9ccf351987c495a591202cf90a73008f
SHA512

588721c0adefd2917231a9fee9bb223c74b2b9eb3c4c083a38b0795ae37c73c592ba151d222bfcae77ccc0bbf992ae6141b286985ef4b5487fc49b0a5a1a4c6b
SSDEEP

3072:v+0++re1DsRxW1YUf3f3vV5Km/EkHY2MgBlh0epD5a6Ym+0++re1DsRxC1YUf3ft:m+yOvWj3H/EAYfgBlD5mZ+yOvCj3

Score

8^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 1 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe	LSASS.EXE

Executes dropped EXE 10 IoCs

pid	Process
2528	SMSS.EXE
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2844	SMSS.EXE
864	LSASS.EXE
2616	LSASS.EXE
2720	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
1720	SMSS.EXE
1280	SMSS.EXE
2704	SMSS.EXE
1268	SMSS.EXE

Loads dropped DLL 21 IoCs

pid	Process
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
864	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE
1080	regsvr32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	LSASS.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	LSASS.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	LSASS.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	LSASS.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	LSASS.EXE

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LSASS.EXE

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	LSASS.EXE
File opened (read-only)	\??\H:	LSASS.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	LSASS.EXE

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	LSASS.EXE
File created	C:\AUTORUN.INF	LSASS.EXE
File opened for modification	D:\AUTORUN.INF	LSASS.EXE
File opened for modification	\??\E:\AUTORUN.INF	LSASS.EXE

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\com\bak	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
File created	C:\Windows\SysWOW64\com\LSASS.EXE	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	LSASS.EXE
File created	C:\Windows\SysWOW64\com\netcfg.000	LSASS.EXE
File created	C:\Windows\SysWOW64\com\SMSS.EXE	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
File created	C:\Windows\SysWOW64\com\SMSS.EXE	LSASS.EXE
File created	C:\Windows\SysWOW64\com\netcfg.dll	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\com\LSASS.EXE	LSASS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3016	ping.exe
1760	ping.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	LSASS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module"	regsvr32.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3016	ping.exe
1760	ping.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
864	LSASS.EXE
864	LSASS.EXE
2616	LSASS.EXE
2616	LSASS.EXE
2616	LSASS.EXE
2616	LSASS.EXE
864	LSASS.EXE
864	LSASS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2076	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2076	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2076	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2076	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2528	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2528	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2528	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2528	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	32
PID 2532 wrote to memory of 2256	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2256	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2256	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2256	2532	db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe	33
PID 2256 wrote to memory of 2892	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	34
PID 2256 wrote to memory of 2892	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	34
PID 2256 wrote to memory of 2892	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	34
PID 2256 wrote to memory of 2892	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	34
PID 2256 wrote to memory of 2732	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	36
PID 2256 wrote to memory of 2732	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	36
PID 2256 wrote to memory of 2732	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	36
PID 2256 wrote to memory of 2732	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	36
PID 2256 wrote to memory of 864	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	38
PID 2256 wrote to memory of 864	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	38
PID 2256 wrote to memory of 864	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	38
PID 2256 wrote to memory of 864	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	38
PID 2256 wrote to memory of 2844	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	39
PID 2256 wrote to memory of 2844	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	39
PID 2256 wrote to memory of 2844	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	39
PID 2256 wrote to memory of 2844	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	39
PID 2256 wrote to memory of 2720	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	40
PID 2256 wrote to memory of 2720	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	40
PID 2256 wrote to memory of 2720	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	40
PID 2256 wrote to memory of 2720	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	40
PID 2256 wrote to memory of 2616	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	41
PID 2256 wrote to memory of 2616	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	41
PID 2256 wrote to memory of 2616	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	41
PID 2256 wrote to memory of 2616	2256	db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log	41
PID 2616 wrote to memory of 2184	2616	LSASS.EXE	42
PID 2616 wrote to memory of 2184	2616	LSASS.EXE	42
PID 2616 wrote to memory of 2184	2616	LSASS.EXE	42
PID 2616 wrote to memory of 2184	2616	LSASS.EXE	42
PID 2616 wrote to memory of 1716	2616	LSASS.EXE	43
PID 2616 wrote to memory of 1716	2616	LSASS.EXE	43
PID 2616 wrote to memory of 1716	2616	LSASS.EXE	43
PID 2616 wrote to memory of 1716	2616	LSASS.EXE	43
PID 864 wrote to memory of 2024	864	LSASS.EXE	46
PID 864 wrote to memory of 2024	864	LSASS.EXE	46
PID 864 wrote to memory of 2024	864	LSASS.EXE	46
PID 864 wrote to memory of 2024	864	LSASS.EXE	46
PID 864 wrote to memory of 1468	864	LSASS.EXE	47
PID 864 wrote to memory of 1468	864	LSASS.EXE	47
PID 864 wrote to memory of 1468	864	LSASS.EXE	47
PID 864 wrote to memory of 1468	864	LSASS.EXE	47
PID 864 wrote to memory of 1720	864	LSASS.EXE	50
PID 864 wrote to memory of 1720	864	LSASS.EXE	50
PID 864 wrote to memory of 1720	864	LSASS.EXE	50
PID 864 wrote to memory of 1720	864	LSASS.EXE	50
PID 864 wrote to memory of 1280	864	LSASS.EXE	51
PID 864 wrote to memory of 1280	864	LSASS.EXE	51
PID 864 wrote to memory of 1280	864	LSASS.EXE	51
PID 864 wrote to memory of 1280	864	LSASS.EXE	51
PID 864 wrote to memory of 2704	864	LSASS.EXE	52
PID 864 wrote to memory of 2704	864	LSASS.EXE	52
PID 864 wrote to memory of 2704	864	LSASS.EXE	52
PID 864 wrote to memory of 2704	864	LSASS.EXE	52

C:\Users\Admin\AppData\Local\Temp\db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db158a450dfce4205588e0b1a68597f2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\com\SMSS.EXE
  c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
  2⤵
  - Executes dropped EXE
  PID:2528
- \??\c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
  "c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- - C:\Windows\SysWOW64\com\LSASS.EXE
    "C:\Windows\system32\com\LSASS.EXE"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Indicator Removal: Clear Persistence
    - Drops autorun.inf file
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1468
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
      4⤵
      Executes dropped EXE
      PID:1720
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:1280
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:2704
  - - C:\Windows\SysWOW64\com\SMSS.EXE
      C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif
      4⤵
      Executes dropped EXE
      PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1120
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1080
  - - C:\Windows\SysWOW64\ping.exe
      ping.exe -f -n 1 www.baidu.com
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3016
  - - C:\Windows\SysWOW64\ping.exe
      ping.exe -f -n 1 www.baidu.com
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1760
- - C:\Windows\SysWOW64\com\SMSS.EXE
    c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.~|c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
    3⤵
    - Executes dropped EXE
    PID:2844
- - \??\c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\com\LSASS.EXE
    ^c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\px[1].js

Filesize
346B

MD5
f84f931c0dd37448e03f0dabf4e4ca9f

SHA1
9c2c50edcf576453ccc07bf65668bd23c76e8663

SHA256
5c1d5fd46a88611c31ecbb8ffc1142a7e74ec7fb7d72bd3891131c880ef3f584

SHA512
afc3089d932fb030e932bf6414ac05681771051dd51d164f09635ca09cbd8525a52879524b6aa24e972e7766ddf529484cc1ec416de8b61255435a89ba781f8c

Download Submit
C:\Windows\SysWOW64\com\LSASS.EXE

Filesize
100KB

MD5
94639ff083efb161b3d4d4e6c6247182

SHA1
7e8b0b5bea4a21b393ee2f22eeb4f30c27629e50

SHA256
560b4ceffe62928300d76e23b0c7d7b5952a121a08ce4b205a01b2302d92c739

SHA512
4c115071c501ec4b929ea3fce2599ed16574bb98be8c4dc9d4d56ad7ce7edf56dcee0a7d54290d048db1c145882ea7105a3b1647778f29ef0d7dd340f56d73a1

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll

Filesize
44KB

MD5
fc978b1e5e7bbcc4c823a638f7b659af

SHA1
64ea345e8c6d4366ba22ca7e06f1d29dec9affd5

SHA256
91e61328a1d2353ad402d8375157f219cc72b147f9c85eacdf189cfdeadacca0

SHA512
ca7165e7705411e788be99402d4ff5f936330b6c3bc8b56fe5f0eae8713681ca7468f150ddcd7db31f0d4c61ec0244a2229c729085d55b62185a79c276dab587

Download Submit
\??\c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.exe.log

Filesize
404KB

MD5
db158a450dfce4205588e0b1a68597f2

SHA1
fd08f935988e6f1c4e72fe4c47d3012a374bc2b0

SHA256
e0f2cc4926ee75d815692de2a970e01b9ccf351987c495a591202cf90a73008f

SHA512
588721c0adefd2917231a9fee9bb223c74b2b9eb3c4c083a38b0795ae37c73c592ba151d222bfcae77ccc0bbf992ae6141b286985ef4b5487fc49b0a5a1a4c6b

Download Submit
\??\c:\users\admin\appdata\local\temp\db158a450dfce4205588e0b1a68597f2_jaffacakes118.~

Filesize
204KB

MD5
458342ff2c067e5577b2b784496afd38

SHA1
d21e857cfe4adbef40fc058bd76d35440d838f1e

SHA256
8639263b52980ed9b897b0369e4510316f283169b62679f30e400165996b36f2

SHA512
0c3a3661b94e0d13698532f687b2d53da7242222aee57ff5ea718ab8395fa6a1926c4b711bbe2c64e64e00f1a6344855ee5adb090b235dc81516e29e5c7ba14c

Download Submit
\Windows\SysWOW64\com\SMSS.EXE

Filesize
9KB

MD5
06881bb6758cd51060aee95b16a68407

SHA1
4c8afb0aeb356970379f1f6f68a7aeaae12c1116

SHA256
825ae572cb46ba13bde721cd9db0477df302abb93e988e79095bbc212a6c4e95

SHA512
e0257afaae0a0c209a0ae2266bac51c43182b856aa103d1604fcd2a75c25a91c9383e4d78c4bd22eee7cb60a99aea07c86aa0316fd4862f51e1bed61ec61384f

Download Submit
memory/1268-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1280-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1720-84-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2528-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2704-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2844-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads