f14776a0b524dee51f513a48dd62ccba6a6a962613c0c746a13ad6cd0d32e6ee

General

Target

fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
Size

296KB
MD5

fc024e7c031bce6993dfce2bca1ca905
SHA1

6580ed4367bd6eb0d64b4621ca113efbb8b2857d
SHA256

f14776a0b524dee51f513a48dd62ccba6a6a962613c0c746a13ad6cd0d32e6ee
SHA512

1c850976b5235a32b585745a4757c7b25c7628034c3333e66e59bce3611ae64ff2fb6ad5724316aafed13ba8922b42ade318409e1216a854dab722712dabc68f
SSDEEP

6144:tfH8V2FL1IWFW6fEwnB5S2a3GxIwcx0jIWCy4hQmc:tfH8VWL1IqL3Bg24Gxwx84Ct

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exefc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

pid process

2792 regsvr32.exe
1728 fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

pid	process
2792	regsvr32.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V3_reg = "C:\\Windows\\system32\\v3avast.exe"	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

Processes:

fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\v3avast.exe	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\v3avast.exe	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\v3avie0.dll	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\v3avie0.dll	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\v3avmn0.dll	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\v3avmn0.dll	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4060	1728	WerFault.exe	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
3032	2792	WerFault.exe	regsvr32.exe
3624	1728	WerFault.exe	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

pid	process
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe

description	pid	process	target process
PID 1728 wrote to memory of 2792	1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2792	1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 2792	1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 3500	1728	fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc024e7c031bce6993dfce2bca1ca905_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 280
3⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\v3avie0.dll
3⤵
- Loads dropped DLL
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 624
4⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 356
3⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1728 -ip 1728
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2792 -ip 2792
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1728 -ip 1728
1⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\v3avie0.dll
Filesize
118KB

MD5
888aceadfbada8ae29a9af732236ce8b

SHA1
68fd861860b9892f5686075b76a7968fbee277ce

SHA256
384479273e7290396cd08afea3b1e9ae3feff286465717268a51f66c6b08953c

SHA512
a4a9b1ce4d49d43d980cd8fbf91bd5134a7d5812109a674e16f1f044ce8b932f74acc1aa3a7fa3f5da76e2133ff3dd5c1e55a643d21ccadd2266809213a2f9ae

Download Submit
C:\Windows\SysWOW64\v3avmn0.dll
Filesize
125KB

MD5
ad4bdc452ab727b4d21aed795f811b62

SHA1
ebbaeec020fdc5f82b1956fece393a25944240e6

SHA256
97c0391a90c17a252eeb9eb85230bf28fe39059fe3337f2026daaf308698b377

SHA512
6730c51154de37e8768c7b43798b54327a8fc812274401fbde359fdba561759bb5eb0568a5f16ac313c9db751399861dcffc49176b219aa30e9643262b3f8634

Download Submit
memory/1728-0-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/1728-13-0x0000000010000000-0x0000000010132000-memory.dmp

Filesize
1.2MB

Download
memory/1728-14-0x0000000010000000-0x0000000010132000-memory.dmp

Filesize
1.2MB

Download
memory/1728-16-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2792-8-0x0000000010000000-0x0000000010120000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads