4adfdcb3d3fb5e4f7b95b3600ec6c3865462de19b46ef2c0ccd014db3dbb311b

General

Target

fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
Size

12KB
MD5

fbaa0a3e6b5173986ee5302d0ed13079
SHA1

f858a1b988e717f099c34bae058302c96f28d649
SHA256

4adfdcb3d3fb5e4f7b95b3600ec6c3865462de19b46ef2c0ccd014db3dbb311b
SHA512

4c272ba192f938cacecd3506d4134f2ef72f59f8db17639acf6c56ba8a44e6eb83131a4398645ced3c19dfdc032d22be6cd0bdf2c50cc981a4a77cc9e221802f
SSDEEP

384:TSifIrO7k6zLoqupEaJpd5/k5jbDueeH2N0U03Y:WaAO5n+t5kueeHIEY

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2420	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2652	mduaeyk.exe
2964	mduaeyk.exe.exe

Loads dropped DLL 6 IoCs

pid	Process
1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
2652	mduaeyk.exe
2652	mduaeyk.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mduaey.dll	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mduaeyk.exe	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mduaeyk.exe	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mduaeyk.exe.exe	mduaeyk.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2972	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe
2964	mduaeyk.exe.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2972	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2972	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2972	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2972	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2652	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2652	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2652	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2652	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	29
PID 2652 wrote to memory of 2964	2652	mduaeyk.exe	30
PID 2652 wrote to memory of 2964	2652	mduaeyk.exe	30
PID 2652 wrote to memory of 2964	2652	mduaeyk.exe	30
PID 2652 wrote to memory of 2964	2652	mduaeyk.exe	30
PID 1028 wrote to memory of 2420	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2420	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2420	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2420	1028	fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
  C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Windows\SysWOW64\mduaeyk.exe
  C:\Windows\system32\mduaeyk.exe ˜‰
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\mduaeyk.exe.exe
    C:\Windows\SysWOW64\mduaeyk.exe.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.bat
  2⤵
  - Deletes itself
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.bat

Filesize
210B

MD5
b6d3abf79289fe5fd8de434094f6b7b8

SHA1
3da8345686b4850c261b5a27406e6fc740bc6bb1

SHA256
81a3b9e93e847d6d51c7875a570fa82127127edb402952b2039925d51f5a3348

SHA512
e86b63e5440db41ef8a2c874417fbcf0dfb4fe4961ff5477b77ab35317e08dcefdf6fefa38e090dd2102159697e2647a9c9f6885528c8683fa6ce137c6bf2f68

Download Submit
\Users\Admin\AppData\Local\Temp\fbaa0a3e6b5173986ee5302d0ed13079_JaffaCakes118.exe.exe

Filesize
3KB

MD5
1bcf09f14702c9f68a88ffa073afa3d8

SHA1
cb62fc01ceb661bb64d1ac1fb81168f3b607744b

SHA256
a9bd6846e10adf9cfe498aaeb8bb48b729be3129f1fae50382d44dd9d1346cf4

SHA512
c90fab7882c136545e3c8d8dd8a9e1df4b42640f42c105f6ebb5be2a8f568a25972924389e6449f5d8c9f3f7d2e25ae6d6835ca92e4f13fdc7ef4a674b3be864

Download Submit
\Windows\SysWOW64\mduaeyk.exe

Filesize
12KB

MD5
fbaa0a3e6b5173986ee5302d0ed13079

SHA1
f858a1b988e717f099c34bae058302c96f28d649

SHA256
4adfdcb3d3fb5e4f7b95b3600ec6c3865462de19b46ef2c0ccd014db3dbb311b

SHA512
4c272ba192f938cacecd3506d4134f2ef72f59f8db17639acf6c56ba8a44e6eb83131a4398645ced3c19dfdc032d22be6cd0bdf2c50cc981a4a77cc9e221802f

Download Submit

Analysis

Sharing