3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569

General

Target

f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
Size

356KB
MD5

f377c45fa62047578d8d8650e5468a27
SHA1

529a01aab9d23110f151fba78380bea04399914d
SHA256

3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569
SHA512

ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81
SSDEEP

6144:7vbx84d/xDLY1hn1sL9cXiBmagG12+cJfBUOyIjyDq:7XfLwsRcXciBUOf3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	rYNVOxKfBTgl.exe

Executes dropped EXE 2 IoCs

pid	Process
2560	rYNVOxKfBTgl.exe
2668	rYNVOxKfBTgl.exe

Loads dropped DLL 4 IoCs

pid	Process
2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
2668	rYNVOxKfBTgl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spxoFiL3t9Lvgo = "C:\\ProgramData\\JNKhpeYUcQh2W\\rYNVOxKfBTgl.exe"	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2560 set thread context of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2668 set thread context of 2480	2668	rYNVOxKfBTgl.exe	32

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2372 wrote to memory of 2796	2372	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	28
PID 2796 wrote to memory of 2560	2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	29
PID 2796 wrote to memory of 2560	2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	29
PID 2796 wrote to memory of 2560	2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	29
PID 2796 wrote to memory of 2560	2796	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	29
PID 2560 wrote to memory of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2560 wrote to memory of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2560 wrote to memory of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2560 wrote to memory of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2560 wrote to memory of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2560 wrote to memory of 2668	2560	rYNVOxKfBTgl.exe	30
PID 2668 wrote to memory of 2520	2668	rYNVOxKfBTgl.exe	31
PID 2668 wrote to memory of 2520	2668	rYNVOxKfBTgl.exe	31
PID 2668 wrote to memory of 2520	2668	rYNVOxKfBTgl.exe	31
PID 2668 wrote to memory of 2520	2668	rYNVOxKfBTgl.exe	31
PID 2668 wrote to memory of 2480	2668	rYNVOxKfBTgl.exe	32
PID 2668 wrote to memory of 2480	2668	rYNVOxKfBTgl.exe	32
PID 2668 wrote to memory of 2480	2668	rYNVOxKfBTgl.exe	32
PID 2668 wrote to memory of 2480	2668	rYNVOxKfBTgl.exe	32
PID 2668 wrote to memory of 2480	2668	rYNVOxKfBTgl.exe	32
PID 2668 wrote to memory of 2480	2668	rYNVOxKfBTgl.exe	32

C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe
    "C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe
      "C:\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe" /i:2668
        5⤵
        
        PID:2520
    - - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe" /i:2668
        5⤵
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JNKhpeYUcQh2W\RCX400C.tmp

Filesize
356KB

MD5
7989d519dfa094e3a6c458cbe26a8ebd

SHA1
fa856b25c180fa83a5d0a2d6648c8917a750dee3

SHA256
f2c2042df7f9510939b609952c4bb5bad4470f136cc4f403a850f7b9c01aff27

SHA512
3598565f3f30586708bd16b9ecaa773f6271239d18fecae3fb0ae0b74c005ad8f1e53d9f2a2a26d527f9a137fa9da41167642c3832035dedd2a26afbea3f8fcc

Download Submit
\ProgramData\JNKhpeYUcQh2W\rYNVOxKfBTgl.exe

Filesize
356KB

MD5
f377c45fa62047578d8d8650e5468a27

SHA1
529a01aab9d23110f151fba78380bea04399914d

SHA256
3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569

SHA512
ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81

Download Submit
memory/2372-6-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2372-1-0x0000000075C60000-0x0000000075D70000-memory.dmp

Filesize
1.1MB

Download
memory/2372-9-0x0000000075C60000-0x0000000075D70000-memory.dmp

Filesize
1.1MB

Download
memory/2480-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2480-53-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2480-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-39-0x0000000075C60000-0x0000000075D70000-memory.dmp

Filesize
1.1MB

Download
memory/2560-29-0x0000000075C60000-0x0000000075D70000-memory.dmp

Filesize
1.1MB

Download
memory/2560-36-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2668-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2668-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2668-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2796-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2796-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2796-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2796-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-10-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2796-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2796-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads