5565b8d0c27d836930658fed83b37cc47dd44edbcbf03de66a2b19974f6891e6

General

Target

04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Size

156KB
MD5

04ad3d325016a11314b612524f7f87aa
SHA1

1d5a1bc1d9e3e3a0cbdc56e83ea8000c4d4e887d
SHA256

5565b8d0c27d836930658fed83b37cc47dd44edbcbf03de66a2b19974f6891e6
SHA512

0a30416a96bbea2e15b4206857a898bae5d1876fb27ba6ed51460d0c7054698e166d1583d95029a44eddb4d1f6aa73fe0ee7f745bc82c5b0d758190b6a123c50
SSDEEP

3072:dD440wdsKfsCM9vd0UkmLSA+ecsM9JcrNclFtZPsVqFJWe3KW+/KXo:dDp0uNM9PjLSQNr6lsVqF9+KX

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1204	Explorer.EXE
476	services.exe

Unexpected DNS network traffic destination 18 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	194.165.17.3
Destination IP	66.85.130.234
Destination IP	66.85.130.234

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 2676	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3551809350-4263495960-1443967649-1000\\$1ee153ffdd8a6dfba01f3ca78eb2dcd0\\n."	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$1ee153ffdd8a6dfba01f3ca78eb2dcd0\\n."	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\clsid	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Token: SeDebugPrivilege	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
Token: SeBackupPrivilege	476	services.exe
Token: SeRestorePrivilege	476	services.exe
Token: SeSecurityPrivilege	476	services.exe
Token: SeTakeOwnershipPrivilege	476	services.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 1204	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	21
PID 2624 wrote to memory of 1204	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	21
PID 2624 wrote to memory of 476	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	6
PID 2624 wrote to memory of 2676	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2676	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2676	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2676	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2676	2624	04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe	30

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1204
- C:\Users\Admin\AppData\Local\Temp\04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\04ad3d325016a11314b612524f7f87aa_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$1ee153ffdd8a6dfba01f3ca78eb2dcd0\@

Filesize
2KB

MD5
d340caf8aa3341058b8dc8c8337597a0

SHA1
fae6a454b417a74f946594146eaa194f638b1de4

SHA256
eae7d8049a313224354b997adf915e721d1a277bd420a0f9701235eb27f4bfca

SHA512
71ff94be93c406cf774685396d985f2a6c96ff3ac4a3d24e7ec57bbb32e73d25d830f40680e469a9c1ad1e0218d8847ad83774df3f47e99c3663483aa5d12c6a

Download Submit
C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\$1ee153ffdd8a6dfba01f3ca78eb2dcd0\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/476-12-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/476-18-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1204-3-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2624-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing