72a5c13ea2529238f39e86a718473d7d89ebbf78b781fbf2ac55ce9ded09cd0d

General

Target

c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe
Size

15.9MB
MD5

c08b8818e0f884170d03efe476315c6d
SHA1

d7d980427342d00cab78b6c56b0fb20d1d359d0a
SHA256

72a5c13ea2529238f39e86a718473d7d89ebbf78b781fbf2ac55ce9ded09cd0d
SHA512

6fad815f044c39b23376ae9646d8ef89ffb9ccc6e1e8d4c882ab493e3bd60d2461e588ff84d7cbb017ff9bc426c137557add37b5f0614498cd5882b37b3d73d1
SSDEEP

393216:Tg7upg7upg7upg7upg7upg7upg7upg7uN:USqSqSqSqSqSqSqSN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2568	7D57AD13E21.exe
2716	Scegli_nome_allegato.exe
1848	7D57AD13E21.exe

Loads dropped DLL 3 IoCs

pid	Process
2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe
2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe
2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 1848	2568	7D57AD13E21.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Scegli_nome_allegato.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Scegli_nome_allegato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Scegli_nome_allegato.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2160	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2716	Scegli_nome_allegato.exe
2716	Scegli_nome_allegato.exe
2716	Scegli_nome_allegato.exe
1848	7D57AD13E21.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2160	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2160	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2160	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2160	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2568	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2568	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2568	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2568	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2716	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2716	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2716	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2716	2888	c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe	31
PID 2568 wrote to memory of 1848	2568	7D57AD13E21.exe	33
PID 2568 wrote to memory of 1848	2568	7D57AD13E21.exe	33
PID 2568 wrote to memory of 1848	2568	7D57AD13E21.exe	33
PID 2568 wrote to memory of 1848	2568	7D57AD13E21.exe	33
PID 2568 wrote to memory of 1848	2568	7D57AD13E21.exe	33
PID 2568 wrote to memory of 1848	2568	7D57AD13E21.exe	33

C:\Users\Admin\AppData\Local\Temp\c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c08b8818e0f884170d03efe476315c6d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2160
- C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
  "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1848
- C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
  "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
15.9MB

MD5
11f8bace4e1cd0fb78116702a9f7fe83

SHA1
577d2232f859564b51af90bc70ab95a369cc62d1

SHA256
54afd74bf419a23f72aa56883eea619ca90c622bfbac73ea689d445ce5babca4

SHA512
28a76055009fca9f3f6f05e5262c70b3fa68c1e092c1c1465254d52362c36b6e19d241f82660b87870b6352ff0560db61eaf4d0b549d102d4e9027e07fe2da3a

Download Submit
\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
memory/1848-47-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1848-50-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1848-60-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1848-57-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1848-55-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1848-53-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1848-51-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1848-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1848-43-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2568-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2568-40-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2568-49-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2716-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-41-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2716-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2716-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2888-0-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2888-12-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2888-20-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2888-1-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads