21f2eabbc51d9b7a7c33837fb35f9897b1102fd5361ba652efb5180433763140

General

Target

ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe
Size

84KB
MD5

ead1f7d573b4460944217f4030f22964
SHA1

2b9d6d4439bc1d9e47f9960472b97881f685fe85
SHA256

21f2eabbc51d9b7a7c33837fb35f9897b1102fd5361ba652efb5180433763140
SHA512

5604d7c6ed69bf803ae294226d49086eb655c74433b93bc1fd52f139092f3999d1271fb538c1b2d405968d3b2816be4e5c979fba62de30c1c09cc3fdc33f983e
SSDEEP

768:9nS+RC2/CiOBglMJx6kZjuTHbA8Y4uwdAb46B+CtOw+0GxTMlxTkjt3n7mBG:99SAlM7tju/4wdL8hOYG0ojtSQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\7767969599757996844\winsvc.exe = "C:\\Users\\Admin\\7767969599757996844\\winsvc.exe:*:Enabled:Microsoft Windows Update"	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2664	winsvc.exe
2448	winsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe
3060	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update = "C:\\Users\\Admin\\7767969599757996844\\winsvc.exe"	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 2664 set thread context of 2448	2664	winsvc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe
2664	winsvc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 1048 wrote to memory of 3060	1048	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	28
PID 3060 wrote to memory of 2664	3060	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2664	3060	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2664	3060	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	29
PID 3060 wrote to memory of 2664	3060	ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe	29
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30
PID 2664 wrote to memory of 2448	2664	winsvc.exe	30

C:\Users\Admin\AppData\Local\Temp\ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ead1f7d573b4460944217f4030f22964_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\7767969599757996844\winsvc.exe
    "C:\Users\Admin\7767969599757996844\winsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\7767969599757996844\winsvc.exe
      "C:\Users\Admin\7767969599757996844\winsvc.exe"
      4⤵
      Executes dropped EXE
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\7767969599757996844\winsvc.exe

Filesize
84KB

MD5
ead1f7d573b4460944217f4030f22964

SHA1
2b9d6d4439bc1d9e47f9960472b97881f685fe85

SHA256
21f2eabbc51d9b7a7c33837fb35f9897b1102fd5361ba652efb5180433763140

SHA512
5604d7c6ed69bf803ae294226d49086eb655c74433b93bc1fd52f139092f3999d1271fb538c1b2d405968d3b2816be4e5c979fba62de30c1c09cc3fdc33f983e

Download Submit
memory/1048-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1048-3-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1048-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2448-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2448-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2664-56-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3060-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3060-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads