16d12057b55851d2cdf591d4b76ca2369ac3ffa9f919e0affbe6f022ca072366

General

Target

f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe
Size

313KB
MD5

f82e0046a08422fb7438fb9b44d6c950
SHA1

b639f8074eceac8fe5c3690ea5b80e5d1a6f49b0
SHA256

16d12057b55851d2cdf591d4b76ca2369ac3ffa9f919e0affbe6f022ca072366
SHA512

a0f283c693b8453cabee6f9df3a47944453963ce0684755cf65a1364dab7029cdf10afe908eccaef18ba933f468e84d64c2296ce0cc2b485db64137057ba5c83
SSDEEP

6144:SoKnaembZf9AVfeYc0gkF5Xf6QY/6cATAQLh3++i2Wgwj:9KQx9k7XMD/nxt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2300	seyzfu.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{58C936C8-997F-AD4E-D42C-E216E5D1C10B} = "C:\\Users\\Admin\\AppData\\Roaming\\Nalus\\seyzfu.exe"	seyzfu.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe
2300	seyzfu.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2300	2960	f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2300	2960	f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2300	2960	f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2300	2960	f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe	28
PID 2300 wrote to memory of 1120	2300	seyzfu.exe	19
PID 2300 wrote to memory of 1120	2300	seyzfu.exe	19
PID 2300 wrote to memory of 1120	2300	seyzfu.exe	19
PID 2300 wrote to memory of 1120	2300	seyzfu.exe	19
PID 2300 wrote to memory of 1120	2300	seyzfu.exe	19
PID 2300 wrote to memory of 1180	2300	seyzfu.exe	20
PID 2300 wrote to memory of 1180	2300	seyzfu.exe	20
PID 2300 wrote to memory of 1180	2300	seyzfu.exe	20
PID 2300 wrote to memory of 1180	2300	seyzfu.exe	20
PID 2300 wrote to memory of 1180	2300	seyzfu.exe	20
PID 2300 wrote to memory of 1216	2300	seyzfu.exe	21
PID 2300 wrote to memory of 1216	2300	seyzfu.exe	21
PID 2300 wrote to memory of 1216	2300	seyzfu.exe	21
PID 2300 wrote to memory of 1216	2300	seyzfu.exe	21
PID 2300 wrote to memory of 1216	2300	seyzfu.exe	21
PID 2300 wrote to memory of 2960	2300	seyzfu.exe	27
PID 2300 wrote to memory of 2960	2300	seyzfu.exe	27
PID 2300 wrote to memory of 2960	2300	seyzfu.exe	27
PID 2300 wrote to memory of 2960	2300	seyzfu.exe	27
PID 2300 wrote to memory of 2960	2300	seyzfu.exe	27

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f82e0046a08422fb7438fb9b44d6c950_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Roaming\Nalus\seyzfu.exe
    "C:\Users\Admin\AppData\Roaming\Nalus\seyzfu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Nalus\seyzfu.exe

Filesize
313KB

MD5
b66f01367b8086cc2c7b8a7661364fb4

SHA1
8acf231c0ffd10326d68e99822833c5767679b96

SHA256
ffbf91f5526048a9bc9ec270fa3b064dc7a9a4e3620be9b8bd1cb48125ac437a

SHA512
ba0aa60dc82e7faf1f4e234a7193097955168ebb540a2f09490dd79ecb7c961a0f9dd75352e772b0f14070595c106e6601ba2c919716ae38415f0943b170f942

Download Submit
memory/1120-15-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1120-18-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1120-17-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1120-16-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1120-13-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1180-23-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1216-25-0x0000000002130000-0x0000000002174000-memory.dmp

Filesize
272KB

Download
memory/1216-27-0x0000000002130000-0x0000000002174000-memory.dmp

Filesize
272KB

Download
memory/1216-28-0x0000000002130000-0x0000000002174000-memory.dmp

Filesize
272KB

Download
memory/1216-26-0x0000000002130000-0x0000000002174000-memory.dmp

Filesize
272KB

Download
memory/2300-50-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2300-48-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2300-47-0x00000000012C0000-0x000000000131A000-memory.dmp

Filesize
360KB

Download
memory/2300-41-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2300-14-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2960-30-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-0-0x0000000000180000-0x00000000001DA000-memory.dmp

Filesize
360KB

Download
memory/2960-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2960-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-34-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-40-0x0000000000180000-0x00000000001DA000-memory.dmp

Filesize
360KB

Download
memory/2960-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2960-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2960-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2960-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads