cd7681c6ca1b1ea41d0cef919d794f20fe89e88518d5b70fd67a1033dad272d4

General

Target

01a98142b184b284e6540f933de8cc31_JaffaCakes118.dll
Size

164KB
MD5

01a98142b184b284e6540f933de8cc31
SHA1

aa8cdcb7f1de25bad359e76c9355785210cecf6a
SHA256

cd7681c6ca1b1ea41d0cef919d794f20fe89e88518d5b70fd67a1033dad272d4
SHA512

4d0b86b18f0cada2ed804ab1c11c6c14e3fcc517c8be35a8c7d221d5b260a596a8e91090d8ef63a665ef8c972b98eba3d697d22794a4cf1ea69a03dbec1b05e9
SSDEEP

3072:1xvRNNRig4E1RxegxzkgWO+pglzhqWo2HhjOYLnHxZsakt7ae:3RUDW5WOUgvq52fH4nt73

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\32lonjehum.dat,StartAs"	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~3\32lonjehum.dat	rundll32.exe
File opened for modification	C:\PROGRA~3\32lonjehum.dat	rundll32.exe
File created	C:\PROGRA~3\muhejnol23.dat	rundll32.exe
File opened for modification	C:\PROGRA~3\muhejnol23.dat	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2160	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2056 wrote to memory of 2160	2056	rundll32.exe	29
PID 2160 wrote to memory of 1364	2160	rundll32.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1364
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\01a98142b184b284e6540f933de8cc31_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\01a98142b184b284e6540f933de8cc31_JaffaCakes118.dll,#1
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\32lonjehum.dat

Filesize
1.3MB

MD5
a90eacc55ba8e79e2835ccf49374430f

SHA1
b1dbb2db758eae1084b3d12e1a07a6599f03a7ed

SHA256
8227fb8d4eb8d099a51b144a89ebe5e4e30f45e9334353d1ac4456127ea8bcc4

SHA512
c6dacb5568399c90a1870ec1136fff7b5fd292e7c6c8be1b27f2e46429df4f6b1e1c968d8add7933d399ea9aad979a60c8d71e466ebb6cd3cd6d82947638cfb4

Download Submit
memory/1364-17-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2160-3-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download
memory/2160-2-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download
memory/2160-1-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download
memory/2160-0-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download
memory/2160-5-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download
memory/2160-4-0x0000000000693000-0x0000000000697000-memory.dmp

Filesize
16KB

Download
memory/2160-6-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download
memory/2160-21-0x0000000000693000-0x0000000000697000-memory.dmp

Filesize
16KB

Download
memory/2160-22-0x0000000000690000-0x00000000006ED000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads