645ba34a610e83f812473b6dd8f11401b5fee119afaa4086fbcac4344f6a682d

General

Target

ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe
Size

4.1MB
MD5

ebf998f965322c4309fae723b7a996a3
SHA1

068b921df854e9b13c8094528ad5d6f8c87153cf
SHA256

645ba34a610e83f812473b6dd8f11401b5fee119afaa4086fbcac4344f6a682d
SHA512

85ffe32d20095eb08edffeee3fcf7da9c1081cbc217c6b9b37d231713469a4ee1d04e78b450d9817d50a1ef56cc91df6383f3e86ffa862f699b676e3ae14581f
SSDEEP

98304:v10dBAEoDCqpjUMVvMOSo5QAXZx7SnE3jIes+KU4Jj:8xCzf9MOSSQ+xRMestU45

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe
4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe
4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe
4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows-Security = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Security.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4980	reg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4024	1384	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	85
PID 1384 wrote to memory of 4024	1384	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	85
PID 1384 wrote to memory of 4024	1384	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	85
PID 4024 wrote to memory of 676	4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	86
PID 4024 wrote to memory of 676	4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	86
PID 4024 wrote to memory of 676	4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	86
PID 4024 wrote to memory of 836	4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	87
PID 4024 wrote to memory of 836	4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	87
PID 4024 wrote to memory of 836	4024	ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe	87
PID 836 wrote to memory of 4980	836	cmd.exe	90
PID 836 wrote to memory of 4980	836	cmd.exe	90
PID 836 wrote to memory of 4980	836	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ebf998f965322c4309fae723b7a996a3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI13~1\valo.jpg"
    3⤵
    PID:676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows-Security /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Security.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Windows-Security /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13842\backdoor.exe.manifest

Filesize
1KB

MD5
d90c6d88e2eb51cfc326013e6a29c88e

SHA1
00d48aeb55290c73b7d65f34b1ef6b38ee3f6f96

SHA256
39d3ee9e78a9402b72b2b9b29280f0ae5a0b8ee72bcf57835e3b08563d983c74

SHA512
6ca2ba97e3666fdcfff0fd178dbc7c47688874ede9b81f1a174bc92046aa82f90d3e3371e0276a4a3da59b8060de26cb79c2bf0f8ef6bbc5f16e9e351406ffc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13842\python27.dll

Filesize
2.5MB

MD5
3068e353227d47f00180eccb05025f7f

SHA1
b39783e7e370aac19e888f39e81ea5bd5749edee

SHA256
2b3d0632696f51eebcddb7046b855f156e12aad53f98488272b4184fe820392a

SHA512
04d768aab54672419d86b73cb2c3325a754206446ab1b82d96d2e154c53c1b6ee3425f3ce21eaa7254795b234719f8a38ae23ff8fc4c509b42148ebcffbe8842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13~1\_socket.pyd

Filesize
45KB

MD5
a9cc2ff4f9cb6f6f297c598e9f541564

SHA1
e38159f04683f0e1ed22baba0e7dcc5a9bc09172

SHA256
36a7dd2596598916384044b680d62fc7369d246703a57178c27c74214a78585f

SHA512
9d99f546e5fa8c235fef007d8eca990350f35d11cd903c5d91611c133166845834c27b1c6a9132c71776754580d9e62fb5072ce6ada1f48feecbf408ca39026f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13~1\_ssl.pyd

Filesize
1.3MB

MD5
d0e36d53cbcea2ac559fec2c596f5b06

SHA1
8abe0c059ef3403d067a49cf8abcb883c7f113ec

SHA256
ae14e8d2ac9adbbb1c1d2a8001a017ba577663322fe7606c22bc0081d2764bc9

SHA512
6cc4a3ede744f81a8e619ee919dfc25e3d16bdcdcf25ec49699d9c1b5511e29d88c67bb7f6936363960838a73e4417668fe6a18220bf777baf174bb8278b69be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13~1\bz2.pyd

Filesize
69KB

MD5
9897fb7cfe7f78b4e4521d8d437bea0e

SHA1
f7cd930bac39701349ef3043986be42a705da3ad

SHA256
d99399bd6ca916c0490af907fb06530839d0797b18a997ed5c091393fc2292f8

SHA512
ad310e30a58fc42ce9d1b5265c4041ce59ee8acebc4ec5e3ce58af8415423a09387f303e5111938f51f0dff7a44714917ca860788136f4962baf1fbe8cac1088

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads