3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569

General

Target

f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
Size

356KB
MD5

f377c45fa62047578d8d8650e5468a27
SHA1

529a01aab9d23110f151fba78380bea04399914d
SHA256

3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569
SHA512

ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81
SSDEEP

6144:7vbx84d/xDLY1hn1sL9cXiBmagG12+cJfBUOyIjyDq:7XfLwsRcXciBUOf3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5060	GwK96GiyF.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	GwK96GiyF.exe
5060	GwK96GiyF.exe

Loads dropped DLL 4 IoCs

pid	Process
2076	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
2076	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
5060	GwK96GiyF.exe
5060	GwK96GiyF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g06Ra0JrLFH9LsN = "C:\\ProgramData\\3NtR3IDwqdiJXVO\\GwK96GiyF.exe"	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 2076	4028	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	91
PID 4544 set thread context of 5060	4544	GwK96GiyF.exe	93
PID 5060 set thread context of 1392	5060	GwK96GiyF.exe	102

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2076	4028	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	91
PID 4028 wrote to memory of 2076	4028	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	91
PID 4028 wrote to memory of 2076	4028	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	91
PID 4028 wrote to memory of 2076	4028	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	91
PID 4028 wrote to memory of 2076	4028	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	91
PID 2076 wrote to memory of 4544	2076	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	92
PID 2076 wrote to memory of 4544	2076	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	92
PID 2076 wrote to memory of 4544	2076	f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe	92
PID 4544 wrote to memory of 5060	4544	GwK96GiyF.exe	93
PID 4544 wrote to memory of 5060	4544	GwK96GiyF.exe	93
PID 4544 wrote to memory of 5060	4544	GwK96GiyF.exe	93
PID 4544 wrote to memory of 5060	4544	GwK96GiyF.exe	93
PID 4544 wrote to memory of 5060	4544	GwK96GiyF.exe	93
PID 5060 wrote to memory of 1504	5060	GwK96GiyF.exe	99
PID 5060 wrote to memory of 1504	5060	GwK96GiyF.exe	99
PID 5060 wrote to memory of 1504	5060	GwK96GiyF.exe	99
PID 5060 wrote to memory of 1392	5060	GwK96GiyF.exe	102
PID 5060 wrote to memory of 1392	5060	GwK96GiyF.exe	102
PID 5060 wrote to memory of 1392	5060	GwK96GiyF.exe	102
PID 5060 wrote to memory of 1392	5060	GwK96GiyF.exe	102
PID 5060 wrote to memory of 1392	5060	GwK96GiyF.exe	102

C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f377c45fa62047578d8d8650e5468a27_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe
    "C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe
      "C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /i:5060
        5⤵
        
        PID:1504
    - - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" /i:5060
        5⤵
        
        PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3NtR3IDwqdiJXVO\GwK96GiyF.exe

Filesize
356KB

MD5
f377c45fa62047578d8d8650e5468a27

SHA1
529a01aab9d23110f151fba78380bea04399914d

SHA256
3962f70709fe4787c59a4a71f488fc40ec405f7d309df9a4da11380ef3e1a569

SHA512
ba1606a5d36efd7a906f8e6c41aeb7e04003c0e2a2227fe15a157297601601a87050cb7321986d551d93e881dbd9bbfbf35b520f11f85005a31f30698b4a9e81

Download Submit
C:\ProgramData\3NtR3IDwqdiJXVO\RCX1F6A.tmp

Filesize
356KB

MD5
f8829d1ea210ffd3dff2f2d74cce7f60

SHA1
b424f19679d41c7d67e0ca7472351e0e75204361

SHA256
d329299b93ba484f9e4e0011e3e8391cf5b5688afffddf13ea9837e330a5b9ec

SHA512
5c4dfa76c9ae6c7cd5db6897325e593d97a8a29b5f4f8afd387960292aae1474beed8e6c13b157240fb292261455d1a8731cce64632df378cbc6ff4093614239

Download Submit
memory/1392-43-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1392-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2076-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2076-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2076-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2076-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2076-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4028-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4028-6-0x0000000075770000-0x0000000075860000-memory.dmp

Filesize
960KB

Download
memory/4028-0-0x0000000075770000-0x0000000075860000-memory.dmp

Filesize
960KB

Download
memory/4544-22-0x0000000075770000-0x0000000075860000-memory.dmp

Filesize
960KB

Download
memory/4544-26-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4544-28-0x0000000075770000-0x0000000075860000-memory.dmp

Filesize
960KB

Download
memory/5060-29-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5060-36-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5060-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads