8378efe6148d06e1dd227258ac2b5ba78a7c74d09f389a8bfccc66ecd0f76ae2

General

Target

f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
Size

89KB
MD5

f88f19aab3ef6f67db65bc1e85912f40
SHA1

52a65e740344d4b070aba7d142641147665d3133
SHA256

8378efe6148d06e1dd227258ac2b5ba78a7c74d09f389a8bfccc66ecd0f76ae2
SHA512

b82734d589000613618a9fd505aa3af89fe77eb274ef9160cd49d6e2703753450e4437aedf2483e64a6de98f858c7e6bebae5da74f90f2d72f98164fc75e1567
SSDEEP

1536:/UKugu0hgqa12ajatF0AKf1HVXU2T70LmKMJTHiSyPMsw/jVoA8zFoXw:/URflZ0F0AK5T70LmK0TiaVP8Bkw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Debug\0C9C4681802F.dll	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\0C9C4681802F.dll	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
File created	C:\Windows\Debug\0C9C4681802F.exe	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
File opened for modification	C:\Windows\Debug\0C9C4681802F.exe	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
File created	C:\Windows\1.bat	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\ = "urs"	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ = "C:\\Windows\\Debug\\0C9C4681802F.dll"	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2208	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2208	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2208	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2208	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	28
PID 1460 wrote to memory of 2672	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2672	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2672	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2672	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	30
PID 1460 wrote to memory of 2788	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2788	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2788	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	32
PID 1460 wrote to memory of 2788	1460	f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f88f19aab3ef6f67db65bc1e85912f40_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\1.bat
  2⤵
  - Deletes itself
  PID:2788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
48B

MD5
66a8e9c3f01dac2d20e18476e2970feb

SHA1
041a5aa086b132662cbaee4a672d2b18bf9a29a8

SHA256
2cb4a96d57d2ccdecfe77a7d82941259c264cb467aa4a028f7b2060f64203cce

SHA512
4001cc3276d4740a4d3da4d125530588813afeba2b6a0d8ffb5354b5d464225950965730d87924550e3d4485d50650e5ed0c8d8b46dc503b3ae6645778c476f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
74B

MD5
7f86e6cc3c61e2285b2e847ac0ef1b6e

SHA1
2be1da03914bc239a670b156026998d400cefb98

SHA256
ed9488c5e0f78e08ca10c321d3129e4cba995ee01b2e10e8059221d7a3af65aa

SHA512
43cb73fa67f3e732d8ec9b47c00d65b82440e0e9848c49b4bd209a1d2d9e4ed5fd2a58a9d8f461ccfa663653f999d3406465ade5e1426852bd59656d804828bb

Download Submit
C:\Windows\1.bat

Filesize
212B

MD5
3434cb03d8896ae6ac050a23d9e29140

SHA1
6d352b53b27f077039bf4417a7f6175de27820d7

SHA256
e69e840baa7cd5b2dc06542933b44aee21221be2c3f734916a655a76227a81d2

SHA512
d0b07526255c7ac677360a03b8532e575c1dc41aa48c807dd7e2c021ccd8bb168434d68d1969670e1ccd28cf86cde3a6bd08fe4eeeb23b0ce1646595ce880871

Download Submit
\Windows\debug\0C9C4681802F.dll

Filesize
70KB

MD5
e6e52fda289a471ce4889cb6e7c57a9f

SHA1
e173af8cf085e90445e3c89e307c06a859f622f4

SHA256
61626fb6836ae86b672d35900aedec4c04335816cc339a778ae5574fa62e23f7

SHA512
b32bba15fa8db34306c2a5946a9ed34cc911a25368c6c9a61236fccef841d9d8e86af06e74d303f1bdce871448ee53e25915f6a818a2b1749efd8742dea6e259

Download Submit
memory/1460-1-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1460-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1460-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-12-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1460-24-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1460-27-0x0000000000450000-0x00000000004A2000-memory.dmp

Filesize
328KB

Download
memory/1460-35-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads