e746832c45b60f90fefd8738d0d9540df167674fbf101dd9b974b966cde62457

General

Target

fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
Size

174KB
MD5

fad9a80024332efb7f5609b61c00ff56
SHA1

31e2caada015dcbb888dd351f06474d7177437a1
SHA256

e746832c45b60f90fefd8738d0d9540df167674fbf101dd9b974b966cde62457
SHA512

80599d1cebe327d7cb6bab1ce88dec2b0a35310b48e1d2784cb1685eec2456602fd7a965b5194e5499345a63d237dc252013bf3b877e5079860e6874b7fb8acb
SSDEEP

3072:2a6pmM3xy6bpgy4Zyv7q6RYZZeyqfEkQGUSQyYLWwA5pyAQ/NxgSiD9s8FlI6:wy62y4ZI7qoYXizQGUhfK5pVQ/M52

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppCert DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.
persistence privilege_escalation

AppCert DLLs
T1546.009

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1252	Explorer.EXE

Loads dropped DLL 7 IoCs

pid	Process
2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2744	rundll32.exe
2840	cmd.exe
3052	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cttuonce.dll	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\cttuonce64.dll	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2744	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2744	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2744	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2744	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	29
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2840	2716	fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe	30
PID 2744 wrote to memory of 1252	2744	rundll32.exe	20
PID 2744 wrote to memory of 1252	2744	rundll32.exe	20
PID 2840 wrote to memory of 3052	2840	cmd.exe	32
PID 2840 wrote to memory of 3052	2840	cmd.exe	32
PID 2840 wrote to memory of 3052	2840	cmd.exe	32
PID 2840 wrote to memory of 3052	2840	cmd.exe	32
PID 2840 wrote to memory of 3052	2840	cmd.exe	32
PID 2840 wrote to memory of 3052	2840	cmd.exe	32
PID 2840 wrote to memory of 3052	2840	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3052	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1252
- C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\cttuonce64.dll",CreateProcessNotify
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259526695.bat" "C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe""
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h"C:\Users\Admin\AppData\Local\Temp\fad9a80024332efb7f5609b61c00ff56_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Privilege Escalation

Event Triggered Execution

1

T1546

AppCert DLLs

1

T1546.009

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259526695.bat

Filesize
75B

MD5
7fe7140fdebda9e6fddeed64ea419888

SHA1
77604b230dbd120acd2454711b1c05bf561ba974

SHA256
a9348f9fe990cfd8f3a9c695729e38659ad8bb559341d8085f1d0e750eb00862

SHA512
e772a3b924689ec0ccbeac91992c01d45d6da35c07530d8be58f6f4aed5db759e2a00e405f9dce3006e6f289c7063adb3a5a6dd6d4c2edc60190656c00a61501

Download Submit
C:\Windows\system32\cttuonce64.dll

Filesize
62KB

MD5
d99463764fb1cb6608f2e2fea36bb016

SHA1
87a5518f3ef2db86930ed355d5b4f81362bd6418

SHA256
8557f233873fd2aa7bb675e48ac58d7d5fd60470033ad26660352bdbbacae65f

SHA512
268f9869d6fdc5673bc6fd6ef80e7b697bf172913b249b8b8626738eda387097ea00f6f5af7af56a60c8409f3bcc634502fa22599081c998874b9d5fa9a44938

Download Submit
\Windows\SysWOW64\cttuonce.dll

Filesize
54KB

MD5
6564e07076dda55f1da5ccc8c40edeb8

SHA1
ef685e0491fe98a92ee4df180869f0c9cad95f98

SHA256
62d1e48d0bd38236c7f679da0f81760f91b44ae28310b4a4c53ff231238dd0d7

SHA512
2a6b0d35f5de4962be5f2d5f7d8d98a41915b1f24910a256760ec9d18719945d0aa0b335549f9338e8fc477d655c92e0579ce437c5d171502fd1746866a1d326

Download Submit
memory/1252-42-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/1252-28-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2716-40-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/2716-7-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2716-6-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2716-41-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2716-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/2744-14-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2744-25-0x0000000180000000-0x0000000180016000-memory.dmp

Filesize
88KB

Download
memory/2840-22-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2840-49-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3052-48-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing