939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

General

Target

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Size

141KB
MD5

f6ba36edaf3b699b3656fb94131d06da
SHA1

9dc88694e0f4be51cc4c6b435349f3939e6b0a47
SHA256

939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39
SHA512

c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6
SSDEEP

3072:K5yJGaBDcKFP/QCtxydMKNWUWFisaGJC:K59aBwC/QrAfaGw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

windowssistema.exemsinfowindows.exeoperatingmsader15.exemicrosoftbasic.exe

pid process

3028 windowssistema.exe
2716 msinfowindows.exe
1872 operatingmsader15.exe
2244 microsoftbasic.exe

pid	process
3028	windowssistema.exe
2716	msinfowindows.exe
1872	operatingmsader15.exe
2244	microsoftbasic.exe

Loads dropped DLL 8 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

pid	process
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OperatingSystem = "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\operatingwindows.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msader15msader156.1.7600.163857.0907131255 = "c:\\program files (x86)\\common files\\system\\ado\\en-us\\operatingmsader15.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SistemaWindows = "c:\\program files (x86)\\windows nt\\accessories\\es-es\\windowssistema.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ApplicationsBasic = "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\microsoftbasic.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Microsoftmsinfo = "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\de-de\\msinfowindows.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\UpdateUpdate = "c:\\program files (x86)\\google\\update\\googleupdate.exe"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Drops file in System32 directory 5 IoCs

Processes:

microsoftbasic.exef6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exewindowssistema.exemsinfowindows.exeoperatingmsader15.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftbasic.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	windowssistema.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	msinfowindows.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	operatingmsader15.exe

Drops file in Program Files directory 7 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfoWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfoWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\WindowsSistema.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\Operatingmsader15.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\MicrosoftBasic.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\OperatingWindows.exe	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

pid	process
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe

description	pid	process	target process
PID 1952 wrote to memory of 3028	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	windowssistema.exe
PID 1952 wrote to memory of 3028	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	windowssistema.exe
PID 1952 wrote to memory of 3028	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	windowssistema.exe
PID 1952 wrote to memory of 3028	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	windowssistema.exe
PID 1952 wrote to memory of 2716	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	msinfowindows.exe
PID 1952 wrote to memory of 2716	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	msinfowindows.exe
PID 1952 wrote to memory of 2716	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	msinfowindows.exe
PID 1952 wrote to memory of 2716	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	msinfowindows.exe
PID 1952 wrote to memory of 1872	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	operatingmsader15.exe
PID 1952 wrote to memory of 1872	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	operatingmsader15.exe
PID 1952 wrote to memory of 1872	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	operatingmsader15.exe
PID 1952 wrote to memory of 1872	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	operatingmsader15.exe
PID 1952 wrote to memory of 2244	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	microsoftbasic.exe
PID 1952 wrote to memory of 2244	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	microsoftbasic.exe
PID 1952 wrote to memory of 2244	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	microsoftbasic.exe
PID 1952 wrote to memory of 2244	1952	f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe	microsoftbasic.exe

C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6ba36edaf3b699b3656fb94131d06da_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- \??\c:\program files (x86)\windows nt\accessories\es-es\windowssistema.exe
  "c:\program files (x86)\windows nt\accessories\es-es\windowssistema.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3028
- \??\c:\program files (x86)\common files\microsoft shared\msinfo\de-de\msinfowindows.exe
  "c:\program files (x86)\common files\microsoft shared\msinfo\de-de\msinfowindows.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2716
- \??\c:\program files (x86)\common files\system\ado\en-us\operatingmsader15.exe
  "c:\program files (x86)\common files\system\ado\en-us\operatingmsader15.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1872
- \??\c:\program files (x86)\common files\microsoft shared\vba\vba6\microsoftbasic.exe
  "c:\program files (x86)\common files\microsoft shared\vba\vba6\microsoftbasic.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\Accessories\es-ES\WindowsSistema.exe

Filesize
141KB

MD5
f6ba36edaf3b699b3656fb94131d06da

SHA1
9dc88694e0f4be51cc4c6b435349f3939e6b0a47

SHA256
939599e255f0c6092afd1b747b0b8d4734ab1218be51708c395151f69da19e39

SHA512
c70e3cba46c8d75db05db5d4b8461ce7d3d1087d56ac635f856a9b26f85152ba465653944acb7bfe87edb5b978fc45d9c462c2f61461e4efe36e9f607fb0b6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qas60A6.tmp

Filesize
8KB

MD5
c231a4c3f5256b7438d11348b3e12722

SHA1
b578a2c26d60d060ec4e27ed165731a32448cbad

SHA256
caa4d011052e76cb6181c28a9e1311ec708c3120e0be1ddde218b4a2116c9bff

SHA512
e21fdd951ccae6bdbb25e50ea6674052a8614db2999c692fedbefff374f9b8748bbb8e3eb58243243509908bf1739abcd1f7e50c37067e8053f3bc998ea021e0

Download Submit
memory/1872-242-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1952-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1952-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1952-100-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2244-332-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2244-333-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2716-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2716-158-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3028-77-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads