ae2b47ff1aa91db152c36aba7d62de9a57af79444cfefb9f158f183c81b6c1ba

General

Target

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
Size

19KB
MD5

9f2d96d970549994a056ef952ffc5b54
SHA1

80128a740c006cdb92deebe2115b00eec844c87c
SHA256

ae2b47ff1aa91db152c36aba7d62de9a57af79444cfefb9f158f183c81b6c1ba
SHA512

fe431fdd00cc609d6195bb0c3138be505838b52b778b8831f7a0a60384670d902ef3a48ec93fd2f0bc0ec586d1d0070b433730a92d707f9a547b4b0259460bff
SSDEEP

384:AePvJDUGCMxD7GAYut2ALNztr32zF/BMC2sOrM:AexC+uAx7Lr34F/Bf2xM

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\msosmsp2p32.sys 9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2900 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

pid process

2068 9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\msosmsp2p32.sys	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

pid	process
2900	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msosmhfp00.dll	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msosmhfp00.dll	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msosmhfp.dat	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini 9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

pid	process
2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

services.exe

pid process

476 services.exe
476 services.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2068 9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

pid	process
476	services.exe
476	services.exe

description	pid	process
Token: SeDebugPrivilege	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe

description	pid	process	target process
PID 2068 wrote to memory of 256	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	smss.exe
PID 2068 wrote to memory of 336	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	csrss.exe
PID 2068 wrote to memory of 384	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	csrss.exe
PID 2068 wrote to memory of 392	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	wininit.exe
PID 2068 wrote to memory of 424	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	winlogon.exe
PID 2068 wrote to memory of 476	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	services.exe
PID 2068 wrote to memory of 492	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	lsass.exe
PID 2068 wrote to memory of 500	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	lsm.exe
PID 2068 wrote to memory of 616	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 696	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 780	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 828	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 864	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 976	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 268	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 348	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	spoolsv.exe
PID 2068 wrote to memory of 1072	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 1112	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	taskhost.exe
PID 2068 wrote to memory of 1168	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	Dwm.exe
PID 2068 wrote to memory of 1196	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	Explorer.EXE
PID 2068 wrote to memory of 1304	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	DllHost.exe
PID 2068 wrote to memory of 1672	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	OSPPSVC.EXE
PID 2068 wrote to memory of 1744	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	wmiprvse.exe
PID 2068 wrote to memory of 1300	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	svchost.exe
PID 2068 wrote to memory of 2952	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	sppsvc.exe
PID 2068 wrote to memory of 2900	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 2900	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 2900	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 2900	2068	9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe	cmd.exe

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:392
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  - Suspicious behavior: LoadsDriver
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:616
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1304
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1744
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:696
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:780
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1168
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:348
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1672
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1300
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2952
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\9f2d96d970549994a056ef952ffc5b54_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Privilege Escalation

Event Triggered Execution

1

T1546

AppInit DLLs

1

T1546.010

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\tmpFDFF.tmp

Filesize
13KB

MD5
916c82f5f02b9de10640f496f9c37377

SHA1
a6b4c011e766d7c3ecaaae3477e53b7c78d2406c

SHA256
3004368a1ad863b3a069eb8c886455c8987814cdddfd0effd06bb9c5627bd2f1

SHA512
3dbfc150bae0e01cd065e9555651ff9e1ffbba3c40b5d17be3b47c867faa7bd2b38e988b910f3dea763ad8823ef9b15bd7990424153de356d6e2698e3b474dca

Download Submit
memory/256-9-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/476-28-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2068-24-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads