0950827be708a38ae8fcdc033f28e7dd9e961499db19e25f0bc81adbf753cd22

General

Target

2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe
Size

7.9MB
MD5

2246cdf34471524e0dacc39146944acc
SHA1

df1c092c0893574634f636f7a106ddcafec67d8a
SHA256

0950827be708a38ae8fcdc033f28e7dd9e961499db19e25f0bc81adbf753cd22
SHA512

d4d13ad510dbf288ccdcfd3701110f4c3d1f37ba8b78568926f67e9d454c5cbb4782f398e8d01d776ce6943e4eb01258756e2e57cc8321d3bde280190118e5cd
SSDEEP

196608:8Jazg7DSmJazg7DSmJazg7DSmJazg7DSN:5g7uXg7uXg7uXg7uN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2516	7D57AD13E21.exe
2676	Scegli_nome_allegato.exe
2724	7D57AD13E21.exe

Loads dropped DLL 3 IoCs

pid	Process
1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe
1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe
1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2516 set thread context of 2724	2516	7D57AD13E21.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	Scegli_nome_allegato.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Scegli_nome_allegato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Scegli_nome_allegato.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2580	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2676	Scegli_nome_allegato.exe
2676	Scegli_nome_allegato.exe
2676	Scegli_nome_allegato.exe
2724	7D57AD13E21.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2580	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2580	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2580	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2580	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2516	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2516	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2516	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2516	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2676	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2676	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2676	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2676	1028	2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe	31
PID 2516 wrote to memory of 2724	2516	7D57AD13E21.exe	33
PID 2516 wrote to memory of 2724	2516	7D57AD13E21.exe	33
PID 2516 wrote to memory of 2724	2516	7D57AD13E21.exe	33
PID 2516 wrote to memory of 2724	2516	7D57AD13E21.exe	33
PID 2516 wrote to memory of 2724	2516	7D57AD13E21.exe	33
PID 2516 wrote to memory of 2724	2516	7D57AD13E21.exe	33

C:\Users\Admin\AppData\Local\Temp\2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2246cdf34471524e0dacc39146944acc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2580
- C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
  "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2724
- C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
  "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
7.9MB

MD5
cf8e93c2b3fce8ea0710bac1454f8468

SHA1
6982eeccf367290fd9b42d8a3f83a1867ef8e2ca

SHA256
85e76a2d103d2564a967ed329d460c67a1bd7f17c5a408d9a510865f57909a86

SHA512
af7c3d36fee37dde482a4a5be1dcf06147738fa8d1f32681e8ba75b5e197d66e695e7cf310c232bb0a61f22da224d1064a0e959466ceb1b45aa7e79c8c5cd050

Download Submit
\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
memory/1028-1-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1028-12-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1028-20-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1028-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2516-40-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2516-13-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2516-49-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2676-41-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2676-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2676-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2676-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2724-43-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-47-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-50-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-51-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-53-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2724-57-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2724-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads