831b36929b95a9ae47a3a6d10f20f4e5d2db486f573e27aaa195c08a4f2a35cd

General

Target

f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
Size

273KB
MD5

f595f533be3189b98ff7c4afb39b1f2c
SHA1

db1bc00ef2b9141d838c28a8be3ac16003efaddb
SHA256

831b36929b95a9ae47a3a6d10f20f4e5d2db486f573e27aaa195c08a4f2a35cd
SHA512

3d2cd428c1a7b9b5507f9d54561e5995cadc5d5aa10c3841ab0fd826f09e9bce82ce78308c6ca2cc5c391ea24517b0240b36a1034135bc8ca04af01d0e315f6d
SSDEEP

6144:VSJu+iVWUhWnn22+FtzfyirnPvV4AXuEgMK/x204F7LToV1a:cJu+iVWUY22+FtvrXV4AXeMK/x204F7z

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2632 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3024 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

hoopzo.exehoopzo.exe

pid process

3060 hoopzo.exe
2704 hoopzo.exe
Loads dropped DLL 3 IoCs

Processes:

f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exehoopzo.exe

pid process

1908 f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
1908 f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
3060 hoopzo.exe

pid	process
2632	netsh.exe

pid	process
3024	cmd.exe

pid	process
3060	hoopzo.exe
2704	hoopzo.exe

pid	process
1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
3060	hoopzo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hoopzo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EDFA00E0-A83F-5EA7-1A8B-324DD5F20897} = "C:\\Users\\Admin\\AppData\\Roaming\\Kygyh\\hoopzo.exe"	hoopzo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exehoopzo.exe

description	pid	process	target process
PID 2872 set thread context of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 3060 set thread context of 2704	3060	hoopzo.exe	hoopzo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

hoopzo.exe

pid	process
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe
2704	hoopzo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe

description pid process

Token: SeSecurityPrivilege 1908 f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exef595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.execmd.exehoopzo.exehoopzo.exe

description	pid	process	target process
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 2872 wrote to memory of 1908	2872	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
PID 1908 wrote to memory of 2728	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 2728	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 2728	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 2728	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 3060	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	hoopzo.exe
PID 1908 wrote to memory of 3060	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	hoopzo.exe
PID 1908 wrote to memory of 3060	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	hoopzo.exe
PID 1908 wrote to memory of 3060	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	hoopzo.exe
PID 2728 wrote to memory of 2632	2728	cmd.exe	netsh.exe
PID 2728 wrote to memory of 2632	2728	cmd.exe	netsh.exe
PID 2728 wrote to memory of 2632	2728	cmd.exe	netsh.exe
PID 2728 wrote to memory of 2632	2728	cmd.exe	netsh.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 3060 wrote to memory of 2704	3060	hoopzo.exe	hoopzo.exe
PID 1908 wrote to memory of 3024	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 3024	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 3024	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 1908 wrote to memory of 3024	1908	f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe	cmd.exe
PID 2704 wrote to memory of 1100	2704	hoopzo.exe	taskhost.exe
PID 2704 wrote to memory of 1100	2704	hoopzo.exe	taskhost.exe
PID 2704 wrote to memory of 1100	2704	hoopzo.exe	taskhost.exe
PID 2704 wrote to memory of 1100	2704	hoopzo.exe	taskhost.exe
PID 2704 wrote to memory of 1100	2704	hoopzo.exe	taskhost.exe
PID 2704 wrote to memory of 1152	2704	hoopzo.exe	Dwm.exe
PID 2704 wrote to memory of 1152	2704	hoopzo.exe	Dwm.exe
PID 2704 wrote to memory of 1152	2704	hoopzo.exe	Dwm.exe
PID 2704 wrote to memory of 1152	2704	hoopzo.exe	Dwm.exe
PID 2704 wrote to memory of 1152	2704	hoopzo.exe	Dwm.exe
PID 2704 wrote to memory of 1200	2704	hoopzo.exe	Explorer.EXE
PID 2704 wrote to memory of 1200	2704	hoopzo.exe	Explorer.EXE
PID 2704 wrote to memory of 1200	2704	hoopzo.exe	Explorer.EXE
PID 2704 wrote to memory of 1200	2704	hoopzo.exe	Explorer.EXE
PID 2704 wrote to memory of 1200	2704	hoopzo.exe	Explorer.EXE
PID 2704 wrote to memory of 296	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 296	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 296	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 296	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 296	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 2728	2704	hoopzo.exe	cmd.exe
PID 2704 wrote to memory of 2728	2704	hoopzo.exe	cmd.exe
PID 2704 wrote to memory of 2728	2704	hoopzo.exe	cmd.exe
PID 2704 wrote to memory of 2728	2704	hoopzo.exe	cmd.exe
PID 2704 wrote to memory of 2728	2704	hoopzo.exe	cmd.exe
PID 2704 wrote to memory of 2764	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 2764	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 2764	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 2764	2704	hoopzo.exe	DllHost.exe
PID 2704 wrote to memory of 2764	2704	hoopzo.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f595f533be3189b98ff7c4afb39b1f2c_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c13edfa.bat"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Kygyh\hoopzo.exe"
5⤵
- Modifies Windows Firewall
PID:2632

C:\Users\Admin\AppData\Roaming\Kygyh\hoopzo.exe
"C:\Users\Admin\AppData\Roaming\Kygyh\hoopzo.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Roaming\Kygyh\hoopzo.exe
"C:\Users\Admin\AppData\Roaming\Kygyh\hoopzo.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf4fdf02c.bat"
4⤵
- Deletes itself
PID:3024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:296

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1c13edfa.bat
Filesize
201B

MD5
edda84e5fda09ffddb79915fa113654b

SHA1
f2de3d8fe24d2f0f8f8b207eddb70557ac87d5ce

SHA256
822a58325aca052651cab04bbe2d75341d887d229f193b06b2c364ade7f0ff30

SHA512
44387ab54a1eaf8e8412e071754bb3cca7a4f7b9b26d01686670416e51d6e8ab03c95b29819d1b12fbe103450a5b7fae782fc85d79d7ab4291cf3914e3f6ecb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpf4fdf02c.bat
Filesize
271B

MD5
4f4e9a45b7c28cf3b8b299d4ae622198

SHA1
ccccc63c2b18591abaf1003f094de3154b884855

SHA256
beed45d59053d3ab6c6ddc9862a3cf225379a4dae64f38c013c820a68cf488a0

SHA512
87af57e0d525f0978242faebf8f93f9906f02676ef0fb4b645d3457063cb58f7e9fc5425997b89f5d4d784d0798fe8db52689b6f73691ad88821cd1de9afcf30

Download Submit
\Users\Admin\AppData\Roaming\Kygyh\hoopzo.exe
Filesize
273KB

MD5
642687e1f361e32bc28e468d1e8b0cd9

SHA1
5e1ef3e809e4bc343abfb9663c445c40a9c90713

SHA256
0d2b68e5e333110484b6147e477e014f1ae729b7f626ae7a3d41b04bbb75cf62

SHA512
5b862c3e8e4f7eb1c6f5ca552cb459007a903275723b2be93535ee4be34ab9df01d4f5f01574e1223413a5df29846b78b48fddf1d6e30a9df9bf61681c61a985

Download Submit
memory/296-74-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/296-71-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/296-72-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/296-73-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/1100-55-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1100-54-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1100-53-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1100-52-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1152-63-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1152-61-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1152-59-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1152-57-0x0000000001EA0000-0x0000000001EC7000-memory.dmp

Filesize
156KB

Download
memory/1200-69-0x0000000002CD0000-0x0000000002CF7000-memory.dmp

Filesize
156KB

Download
memory/1200-68-0x0000000002CD0000-0x0000000002CF7000-memory.dmp

Filesize
156KB

Download
memory/1200-67-0x0000000002CD0000-0x0000000002CF7000-memory.dmp

Filesize
156KB

Download
memory/1200-66-0x0000000002CD0000-0x0000000002CF7000-memory.dmp

Filesize
156KB

Download
memory/1908-17-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-46-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1908-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2704-82-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2704-49-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2704-102-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2728-81-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2728-80-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2728-76-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2728-77-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2728-78-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2728-79-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/2872-0-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2872-1-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3060-32-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/3060-31-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads