83c2ac671279f7868f0e848e8c068ed8c6babe5ac95603f1e74286b8dd9a6350

General

Target

fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Size

38KB
MD5

fdd0b50267452dcbed129aefcffb36a8
SHA1

78a59d6a9edb020173967678c913f7a74e33ae85
SHA256

83c2ac671279f7868f0e848e8c068ed8c6babe5ac95603f1e74286b8dd9a6350
SHA512

d05b45e18a1c62486b84ebb7432602a20bd4a017a4a19ce62455bfb1c7e78254f56d33e5040acc272d75c47cbda59d97d032ef0ba831ad6208129a3cee02ca09
SSDEEP

768:3Gudxg1iMaNjOCHRFjwRk3LmNUgjj/IqjHszIh1KgLhm/:3JoAn70q3aNljwqjHsC1Kn

Score

8^/10

discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
2780	updata.exe

Loads dropped DLL 6 IoCs

pid	Process
2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kav = "C:\\Windows\\system32\\kav.exe"	updata.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ccte1sto.dat	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\progra~1\ATI\amdk8.inf	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
File created	C:\progra~1\ATI\amdk8.sys	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1496	sc.exe
2132	sc.exe
2824	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2628	2780	WerFault.exe	38
1540	2520	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeAuditPrivilege	2760	svchost.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
Token: SeDebugPrivilege	2780	updata.exe
Token: SeDebugPrivilege	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1496	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1496	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1496	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1496	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2132	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	32
PID 2520 wrote to memory of 2132	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	32
PID 2520 wrote to memory of 2132	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	32
PID 2520 wrote to memory of 2132	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	32
PID 2520 wrote to memory of 2824	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	35
PID 2520 wrote to memory of 2824	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	35
PID 2520 wrote to memory of 2824	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	35
PID 2520 wrote to memory of 2824	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	35
PID 2520 wrote to memory of 2780	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	38
PID 2520 wrote to memory of 2780	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	38
PID 2520 wrote to memory of 2780	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	38
PID 2520 wrote to memory of 2780	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	38
PID 2780 wrote to memory of 2628	2780	updata.exe	39
PID 2780 wrote to memory of 2628	2780	updata.exe	39
PID 2780 wrote to memory of 2628	2780	updata.exe	39
PID 2780 wrote to memory of 2628	2780	updata.exe	39
PID 2520 wrote to memory of 1540	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	40
PID 2520 wrote to memory of 1540	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	40
PID 2520 wrote to memory of 1540	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	40
PID 2520 wrote to memory of 1540	2520	fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdd0b50267452dcbed129aefcffb36a8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config PolicyAgent start= auto
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop PolicyAgent
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start PolicyAgent
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\updata.exe
  "C:\Users\Admin\AppData\Local\Temp\updata.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 228
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 636
  2⤵
  - Program crash
  PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\updata.exe

Filesize
16KB

MD5
5d3ed0c6b85b2fa28784e2f69aa61e8b

SHA1
22272142f2963b9e068f1f7f55dd9082493177ca

SHA256
f1163d5dc04a21aa320dd0d459a018272532b8eff95d3ed15d20590e1fea5a04

SHA512
6163d97784d269b6c9599180f43370564a9063a461a0c2ba25a6dae7b8ea1976ece68b492a74f974cbe0954ed90215ccc3b1bc9135a58597251148b2ca45d168

Download Submit
\Windows\SysWOW64\ccte1sto.dat

Filesize
16KB

MD5
219394ebb12624755e13e8c1f6da342c

SHA1
01c18e9c839263e3baa7f90688543a100cc407ee

SHA256
153dc55887a986eb52a8be9008342a66b7b60b8ece2b5e81138309210153d142

SHA512
50dffcddb5fef885388b7041789ec4c05964543d42d0777f3f7f65bcfa117513173a47488e30ace6355def928806492d7c04366343173b492b7bd8d3c148e3e7

Download Submit
memory/2520-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-4-0x00000000025E0000-0x00000000025EA000-memory.dmp

Filesize
40KB

Download
memory/2520-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-6-0x00000000025E0000-0x00000000025EA000-memory.dmp

Filesize
40KB

Download
memory/2520-29-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2520-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads