730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000

General

Target

fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
Size

356KB
MD5

fd5f67b71543f0d0b620161bfcd1151c
SHA1

c8c938f4edbf3793b6c8b680b3474879c8185ed9
SHA256

730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000
SHA512

48a39c34c3247fa5a7ae9e4e2a1a5e254aca691a170b8d64dd211f67aad0e6841676120585b9839bbbbd6dc39484bf17e417e6d80e724f9129c716f6d411281c
SSDEEP

6144:7vbx8GUoAxgeWj2geARcUPuLrB3cp6FWw21EN:7NVAx2LULN3QEWwOk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
60	kkYM6fiVtDTU.exe

Executes dropped EXE 2 IoCs

pid	Process
5108	kkYM6fiVtDTU.exe
60	kkYM6fiVtDTU.exe

Loads dropped DLL 4 IoCs

pid	Process
4584	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
4584	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
60	kkYM6fiVtDTU.exe
60	kkYM6fiVtDTU.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awdrB5YhSS4Oz = "C:\\ProgramData\\ejfGby2H5oEd9kT\\kkYM6fiVtDTU.exe"	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 4584	3368	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	86
PID 5108 set thread context of 60	5108	kkYM6fiVtDTU.exe	90
PID 60 set thread context of 372	60	kkYM6fiVtDTU.exe	94

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4584	3368	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	86
PID 3368 wrote to memory of 4584	3368	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	86
PID 3368 wrote to memory of 4584	3368	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	86
PID 3368 wrote to memory of 4584	3368	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	86
PID 3368 wrote to memory of 4584	3368	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	86
PID 4584 wrote to memory of 5108	4584	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	89
PID 4584 wrote to memory of 5108	4584	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	89
PID 4584 wrote to memory of 5108	4584	fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe	89
PID 5108 wrote to memory of 60	5108	kkYM6fiVtDTU.exe	90
PID 5108 wrote to memory of 60	5108	kkYM6fiVtDTU.exe	90
PID 5108 wrote to memory of 60	5108	kkYM6fiVtDTU.exe	90
PID 5108 wrote to memory of 60	5108	kkYM6fiVtDTU.exe	90
PID 5108 wrote to memory of 60	5108	kkYM6fiVtDTU.exe	90
PID 60 wrote to memory of 3260	60	kkYM6fiVtDTU.exe	91
PID 60 wrote to memory of 3260	60	kkYM6fiVtDTU.exe	91
PID 60 wrote to memory of 3260	60	kkYM6fiVtDTU.exe	91
PID 60 wrote to memory of 372	60	kkYM6fiVtDTU.exe	94
PID 60 wrote to memory of 372	60	kkYM6fiVtDTU.exe	94
PID 60 wrote to memory of 372	60	kkYM6fiVtDTU.exe	94
PID 60 wrote to memory of 372	60	kkYM6fiVtDTU.exe	94
PID 60 wrote to memory of 372	60	kkYM6fiVtDTU.exe	94

C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd5f67b71543f0d0b620161bfcd1151c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\ProgramData\ejfGby2H5oEd9kT\kkYM6fiVtDTU.exe
    "C:\ProgramData\ejfGby2H5oEd9kT\kkYM6fiVtDTU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\ProgramData\ejfGby2H5oEd9kT\kkYM6fiVtDTU.exe
      "C:\ProgramData\ejfGby2H5oEd9kT\kkYM6fiVtDTU.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe" /i:60
        5⤵
        
        PID:3260
    - - C:\Program Files (x86)\Internet Explorer\ExtExport.exe
        
        "C:\Program Files (x86)\Internet Explorer\ExtExport.exe" /i:60
        5⤵
        
        PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ejfGby2H5oEd9kT\RCX45A4.tmp

Filesize
356KB

MD5
654a893a022302f687ab51e67638a090

SHA1
4ff8f5bdbb9073ee7a03e8593a687f5164ee29f8

SHA256
cd5dc5157705a3de97e9c403db707dcb2a02a6e3a006f18fc807ab396d2bcd71

SHA512
6bc0f805915b9b6c9b72cfee8dea9dec07234847c2f4903b8d2ea98cc7fadc11e3d1e54321938665fde1e05f22d2b18bca747208a30d161fd9ea74ac7de34f4e

Download Submit
C:\ProgramData\ejfGby2H5oEd9kT\kkYM6fiVtDTU.exe

Filesize
356KB

MD5
fd5f67b71543f0d0b620161bfcd1151c

SHA1
c8c938f4edbf3793b6c8b680b3474879c8185ed9

SHA256
730b5b1ff9760f80340954c515fdc16e0d0ba664cfbc0f2157e8228c172f8000

SHA512
48a39c34c3247fa5a7ae9e4e2a1a5e254aca691a170b8d64dd211f67aad0e6841676120585b9839bbbbd6dc39484bf17e417e6d80e724f9129c716f6d411281c

Download Submit
memory/60-29-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/60-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/372-43-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/372-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3368-4-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3368-0-0x0000000076280000-0x0000000076370000-memory.dmp

Filesize
960KB

Download
memory/3368-5-0x0000000076280000-0x0000000076370000-memory.dmp

Filesize
960KB

Download
memory/4584-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5108-22-0x0000000076280000-0x0000000076370000-memory.dmp

Filesize
960KB

Download
memory/5108-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5108-27-0x0000000076280000-0x0000000076370000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads