03a91f01fc7f45b4ce8d63fd69ee1e27fa14d15b4aa9fd03310c7979fb833272

General

Target

ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe
Size

411KB
MD5

ef437a3a76eff30492a9634b2ac8f4b3
SHA1

ca1448c388fe2e6abcd88cb151416622fb026a48
SHA256

03a91f01fc7f45b4ce8d63fd69ee1e27fa14d15b4aa9fd03310c7979fb833272
SHA512

57289de6a51180153e4272e6bb2fa2b1c4ac0c9aa2001095049cf145d47f52c2beb05835284f8490642e28e96cce49136c0fd777e4706e56145eca0a071356d0
SSDEEP

6144:Iz03FeHrJ4IF2idZecnl20lHRxp3gQvMsRBVlsGMvJekKrbZSGSqvRt:82YVZF3Z4mxxsIBHsJAZSlqvRt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	QQ.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe
2320	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\InProcServer32\ThreadingModel = "Apartment"	QQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}	QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\	QQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\InProcServer32	QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D544C22D-1F70-4B1E-873D-D8DABEB26695}\InProcServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\atmQQ2.dll"	QQ.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2412	QQ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2412	QQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2412	2320	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2412	2320	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2412	2320	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe	28
PID 2320 wrote to memory of 2412	2320	ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe	28
PID 2412 wrote to memory of 2336	2412	QQ.exe	29
PID 2412 wrote to memory of 2336	2412	QQ.exe	29
PID 2412 wrote to memory of 2336	2412	QQ.exe	29
PID 2412 wrote to memory of 2336	2412	QQ.exe	29

C:\Users\Admin\AppData\Local\Temp\ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef437a3a76eff30492a9634b2ac8f4b3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQ.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BT.BAT

Filesize
144B

MD5
af1f074445aacbb4bfd70e0102f7f517

SHA1
f431565b822fbc06071f4cf838753d98f249cf10

SHA256
4953a11bc4f520e42bb67cc1a5fac050dfe530845c24ca9d9e5d4398694de14a

SHA512
b1ec3511297dd088051def6ca41c5a23593b562ad3cca9270eebb3d24b99207ee22b85f6f18724ddaba91359d52cd68f60cd7850d3237f1495885740fb9bf6c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQ.exe

Filesize
37KB

MD5
d7007993be869060e3e2af77d882ff9a

SHA1
5bbf2adc9f744d98961d6886a8bcac475129edab

SHA256
8c9e55488ceea3b1a5db667295ecc88fd27a115a5613e2fe99ee7b4cba6c728b

SHA512
388dd182b4b126c32e5f933e0c8bd521fd69f60858dc86215663b9de1853b0ea64ddacf9b5e1d8473f2e7b6ebf9139735b3ac74599fe5a19ff0b0c4e3808434f

Download Submit
memory/2320-17-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2320-10-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2320-27-0x0000000003840000-0x0000000003862000-memory.dmp

Filesize
136KB

Download
memory/2320-26-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2320-25-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2320-24-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2320-23-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2320-22-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2320-20-0x00000000030E0000-0x00000000030E3000-memory.dmp

Filesize
12KB

Download
memory/2320-19-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/2320-15-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2320-48-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2320-47-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2320-18-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2320-14-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2320-13-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2320-11-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2320-0-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2320-30-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2320-31-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2320-16-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2320-1-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2412-33-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2412-44-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2412-29-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads