0a19df878b848c99598880492b48eff750bcdafcc36dfa1e4cc776d5f63ae071

General

Target

27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Size

13KB
MD5

27a405172d883a8f8899cd6c4d5bfa4c
SHA1

0e4d4d84161fbf8e30a5050885773d470e7c9466
SHA256

0a19df878b848c99598880492b48eff750bcdafcc36dfa1e4cc776d5f63ae071
SHA512

5b25a8bebb9aa407ca6451719fb329b7f00bde411ad0c9c1da39fb5107195eb632ecde4fb90143fc0f42f14eebbcf6c7a9cc8c38b63c12b3c131fa42f54b6d46
SSDEEP

192:y7eZZxiLoIKXTMC3IizzwsPpjErEIkuJDYdVjXONMQ//dfJACoCJE8QO7hsZ:yCFiLo/XI+Iioeor86VjVyCJEw2Z

Score

7^/10

defense_evasion discovery persistence privilege_escalation upx

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dsound3dd.dll	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dsound3dd.dll	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral1/memory/2196-7-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\PROTOCOLS\Filter\text/html	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\PROTOCOLS	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{ff7436ea-7727-48e8-9886-a5a37b27f889}\InProcServer32	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\PROTOCOLS\Filter	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\PROTOCOLS\Filter\text/html\ = "Microsoft Default HTML MIME Filter"	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\PROTOCOLS\Filter\text/html\CLSID = "{ff7436ea-7727-48e8-9886-a5a37b27f889}"	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{ff7436ea-7727-48e8-9886-a5a37b27f889}	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{ff7436ea-7727-48e8-9886-a5a37b27f889}\InProcServer32\ = "C:\\Windows\\SysWow64\\dsound3dd.dll"	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Wow6432Node\CLSID\{ff7436ea-7727-48e8-9886-a5a37b27f889}\InProcServer32\ThreadingModel = "Apartment"	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2804	2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2804	2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2804	2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2804	2196	27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27a405172d883a8f8899cd6c4d5bfa4c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\27A405~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259C.tmp

Filesize
14KB

MD5
5e47c73681592fd8eacfaa57e19b8bc9

SHA1
a1bcb5bf7969d489816ade9d79357da8d9f31d0d

SHA256
d70d0db0cb6ae2d2d57fad884d70b3809fe4a9f06bb6973ee76912469f88000a

SHA512
add091a8303520c9fb5fa99d9f46860034dd8ba8f3ed915311c163d774658f6dadd076de4dcc56dbe02735110c2cebd920985328614f5bca90d8d43474552da7

Download Submit
memory/2196-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2196-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing