869574b3cc736bbbd3dad5797ae742bf97bfc4dcc0608a3d7b235b97eec56829

General

Target

ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
Size

32KB
MD5

ea8b4159dfb31c1faf813a0b8991e794
SHA1

bef919aa7630f83ab14f023996122b364cb9b607
SHA256

869574b3cc736bbbd3dad5797ae742bf97bfc4dcc0608a3d7b235b97eec56829
SHA512

2edc7f377f6c86ff377d5476401e674e68fac9586c0722718e13f3eb525df98e7170dc54b36d0e8dcc2ccac5d544a66650f25a2f11d9ac7cb8d0509872160f5e
SSDEEP

384:WB4j/4FRzXHviu7z6kAx0LFMRmW9CeuLCSb2fieTlv/eDAFdOcC5GRq7q:WBc4F9P6ODWcaSbv0v/6COmeq

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe"	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 792	1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe	10
PID 1012 wrote to memory of 3116	1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe	82
PID 1012 wrote to memory of 3116	1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe	82
PID 1012 wrote to memory of 3116	1012	ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe	82

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8b4159dfb31c1faf813a0b8991e794_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1
  2⤵
  PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rdl88A8.tmp

Filesize
6KB

MD5
b748c4e142169a4ae2720f527343bb92

SHA1
de52297ceb77efd35adcd6727df7acce62434059

SHA256
21f5e5ca930727fb0cca314201fae10f496a7445e8b6292748f26234a9905e29

SHA512
6f5f38bd6af05290e58cba851e21187a826adf48b5d61f7c41e61b21b58b33bc9df0f01d1d42ebafccaeda69811bcde6b4ae74030f2b3d17b5cd2c561af1d0c5

Download Submit
memory/1012-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1012-1-0x0000000017180000-0x0000000017189000-memory.dmp

Filesize
36KB

Download
memory/1012-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1012-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1012-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1012-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads