c3a8862c6d40241588d1b4e01523f7e9a97f71dae77d7316c7814de8a52321f4

General

Target

f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe
Size

132KB
MD5

f47292822d37ac25baa57164e44279c6
SHA1

2a7842d1149d3c7d4811d732d9b03e5ab3dfef37
SHA256

c3a8862c6d40241588d1b4e01523f7e9a97f71dae77d7316c7814de8a52321f4
SHA512

a2dbb1c8a97cb8b01123c2253bdf485c64a1af5ae9cdc90387dfa0d50d3e5079f55b943eb63a6c6f1f29d7fa318b184db2d9625030ab88b3f2a9b4671b457de4
SSDEEP

3072:PjX5N8c1LiTy8xPisdAISbbsqRXgOlRXJdga/3yyLQjV:wmwy8x66ArbbsqRXRga/3zQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe
2552	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ttagavabowine = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\vecelgr.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe
2688	rundll32.exe
2552	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2688	2020	f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe	28
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29
PID 2688 wrote to memory of 2552	2688	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f47292822d37ac25baa57164e44279c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\vecelgr.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\vecelgr.dll",iep
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\vecelgr.dll

Filesize
132KB

MD5
6561efc134dac9fbe0bcc54d5dbce17c

SHA1
438bd47b5453f4ca9ae8a198a398d7a91247d376

SHA256
be456ffe91fe8fac2fcd6428c9195e55b2b5d7dc01c5089b5811ef7a3e9d421e

SHA512
2c9b3b861e420c8f6316c4ff939e131061c2cb42cc14dee8e838b382c627e1bdc519ebd0f705bc9baa8b19df3b1f66ff59038044a36b753e8972be1e9ec339b6

Download Submit
memory/2020-2-0x0000000001D30000-0x0000000001D70000-memory.dmp

Filesize
256KB

Download
memory/2020-0-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2020-13-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2020-1-0x0000000001D30000-0x0000000001D70000-memory.dmp

Filesize
256KB

Download
memory/2020-17-0x0000000001D30000-0x0000000001D70000-memory.dmp

Filesize
256KB

Download
memory/2020-18-0x0000000001D30000-0x0000000001D70000-memory.dmp

Filesize
256KB

Download
memory/2552-26-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/2552-32-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/2552-29-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2552-27-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/2688-14-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2688-25-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2688-12-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2688-11-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2688-28-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2688-10-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads