95cde0f952b32b04d3f45b0162f80d7a001aeea46b7aea3d6e4552e69f69d285

General

Target

eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe
Size

7.9MB
MD5

eaac458aa81f046bf5f3f58625de8b58
SHA1

beb26f3e935583bca2d88f024d4653fb59c9bb40
SHA256

95cde0f952b32b04d3f45b0162f80d7a001aeea46b7aea3d6e4552e69f69d285
SHA512

ce33c0647bc830bcf729e095fbeee251a15954e355d4ca32428f9a26031903a3065b16f584175cb9fbe26fb4fcfc0cd2f2be0d98e5d778f078146b7d617cc5a7
SSDEEP

196608:87azg7DSm7azg7DSm7azg7DSm7azg7DSN:Hg7uJg7uJg7uJg7uN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2644	7D57AD13E21.exe
2572	Scegli_nome_allegato.exe
2784	7D57AD13E21.exe

Loads dropped DLL 3 IoCs

pid	Process
2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe
2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe
2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\7D57AD13E21.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 2784	2644	7D57AD13E21.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	Scegli_nome_allegato.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Scegli_nome_allegato.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Scegli_nome_allegato.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3028	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2572	Scegli_nome_allegato.exe
2572	Scegli_nome_allegato.exe
2572	Scegli_nome_allegato.exe
2784	7D57AD13E21.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3028	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	28
PID 2184 wrote to memory of 3028	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	28
PID 2184 wrote to memory of 3028	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	28
PID 2184 wrote to memory of 3028	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2644	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2644	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2644	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2644	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	30
PID 2184 wrote to memory of 2572	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2572	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2572	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2572	2184	eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2784	2644	7D57AD13E21.exe	33
PID 2644 wrote to memory of 2784	2644	7D57AD13E21.exe	33
PID 2644 wrote to memory of 2784	2644	7D57AD13E21.exe	33
PID 2644 wrote to memory of 2784	2644	7D57AD13E21.exe	33
PID 2644 wrote to memory of 2784	2644	7D57AD13E21.exe	33
PID 2644 wrote to memory of 2784	2644	7D57AD13E21.exe	33

C:\Users\Admin\AppData\Local\Temp\eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eaac458aa81f046bf5f3f58625de8b58_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3028
- C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
  "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe
    "C:\Users\Admin\AppData\Roaming\7D57AD13E21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2784
- C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe
  "C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Scegli_nome_allegato.exe

Filesize
1.0MB

MD5
a2f259ceb892d3b0d1d121997c8927e3

SHA1
6e0a7239822b8d365d690a314f231286355f6cc6

SHA256
ab01a333f38605cbcebd80e0a84ffae2803a9b4f6bebb1e9f773e949a87cb420

SHA512
5ae1b60390c94c9e79d3b500a55b775d82556e599963d533170b9f35ad5cfa2df1b7d24de1890acf8e1e2c356830396091d46632dbc6ee43a7d042d4facb5dad

Download Submit
\Users\Admin\AppData\Roaming\7D57AD13E21.exe

Filesize
7.9MB

MD5
8f1fee005c2f914a5496a820c021b123

SHA1
22cbf28ae8ca07bb646b5fd359a683697393f571

SHA256
6ffcc767d6c8a529c2d9eeba36ada831ae9bd26d629e777eef39a3c04048ea4a

SHA512
b6f7e4cfcb068bd140ef4ae0e55233f493256954999c75524ec0afbf50b4586cffec67d1a9e7380737df6ff44bc07802806a1acb5fafa736213eb30023b80b5a

Download Submit
memory/2184-1-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2184-12-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2184-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2184-20-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2572-41-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2572-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2572-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2572-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2644-40-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2644-13-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2644-50-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/2784-49-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2784-47-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2784-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-51-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2784-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2784-53-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2784-43-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2784-57-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2784-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads