12b681a686de5d8fb0aee797adf4ce103dc343f292f9b64ff8a7d787f26531d8

General

Target

e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe
Size

44KB
MD5

e853cf244a669d2712dc7d27e57d9630
SHA1

8173290e4e5dec35e1c40d514a298b0399b9a369
SHA256

12b681a686de5d8fb0aee797adf4ce103dc343f292f9b64ff8a7d787f26531d8
SHA512

7636fb97b9e76c0e224ce69805618011cc4f73d3bfdddd4814cac98cd365c22ed48816eb0852a50617248e15989b340c5796cff18011b6630a53fa93dd1ef68e
SSDEEP

768:JDI8yw6q0z1w1zThnHGazLJoivs+ChaVPenf0S:JDkhTqZhHzNZCrf

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Messenger Live Startup = "windowslivemsn.exe"	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windowslivemsn.exe	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windowslivemsn.exe	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28
PID 1444 wrote to memory of 1780	1444	e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e853cf244a669d2712dc7d27e57d9630_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:1780
- - C:\Windows\SysWOW64\windowslivemsn.exe
    "C:\Windows\system32\windowslivemsn.exe"
    3⤵
    PID:2556
  - - C:\Windows\SysWOW64\windowslivemsn.exe
      "C:\Windows\SysWOW64\windowslivemsn.exe"
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.zip"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q "%HOMEPATH%\My Documents\My Recieved Files\*.com"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E853CF~1.EXE > nul
    3⤵
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\windowslivemsn.exe

Filesize
44KB

MD5
e853cf244a669d2712dc7d27e57d9630

SHA1
8173290e4e5dec35e1c40d514a298b0399b9a369

SHA256
12b681a686de5d8fb0aee797adf4ce103dc343f292f9b64ff8a7d787f26531d8

SHA512
7636fb97b9e76c0e224ce69805618011cc4f73d3bfdddd4814cac98cd365c22ed48816eb0852a50617248e15989b340c5796cff18011b6630a53fa93dd1ef68e

Download Submit
memory/1444-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1780-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1780-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1780-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1780-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1780-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1780-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1780-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads