8e9f4c6251508727180d21e1d64d0b7a696b21488cf54b46e1d9c7b32e464c5d

General

Target

f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
Size

538KB
MD5

f75512b37469cc341820acaf93821ce4
SHA1

2852c6889718fbc5b60c49869d2c0aa284a80741
SHA256

8e9f4c6251508727180d21e1d64d0b7a696b21488cf54b46e1d9c7b32e464c5d
SHA512

4b8ccb04d822951ba72d85a31357a6cde1e7ca7a65b2569306a6d99da213e024140afc3a99efa4f9374c5e3d5d8b2c7d92deeeccbe4f7c1df8e18f9c4008ef9f
SSDEEP

12288:wlbg+41gL5pRTcAkS/3hzN8qE43fm78VE:Wbg+N5jcAkSYqyEE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2368	MSWDM.EXE
2000	MSWDM.EXE
2592	F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE
2600	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2000	MSWDM.EXE
2676	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev1BDA.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\dev1BDA.tmp	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2000	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2368	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2368	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2368	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2368	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2000	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2000	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2000	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	29
PID 2864 wrote to memory of 2000	2864	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2592	2000	MSWDM.EXE	30
PID 2000 wrote to memory of 2592	2000	MSWDM.EXE	30
PID 2000 wrote to memory of 2592	2000	MSWDM.EXE	30
PID 2000 wrote to memory of 2592	2000	MSWDM.EXE	30
PID 2000 wrote to memory of 2600	2000	MSWDM.EXE	32
PID 2000 wrote to memory of 2600	2000	MSWDM.EXE	32
PID 2000 wrote to memory of 2600	2000	MSWDM.EXE	32
PID 2000 wrote to memory of 2600	2000	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2864
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2368
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1BDA.tmp!C:\Users\Admin\AppData\Local\Temp\f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1BDA.tmp!C:\Users\Admin\AppData\Local\Temp\F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE

Filesize
538KB

MD5
05de7fc847d6f9f99da7e2340bd1ec76

SHA1
43268007a008697ee820779e5aa3ebe6df3f4d28

SHA256
0ee891b42b3e54b5d9eded4dccd568f8a804f2f4a11f24ac584bf87cb533e0dc

SHA512
f1ff04f5bd98a7ce97f31ac1e3a60e6778eb0eef1ddd823c8e394a7b8aa228c598b1f560d0f15666e9249cba1310911c63498657a158ea06e6046d2408fbf899

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
128781d073b135af1412859af64352d9

SHA1
0608a1851f69bda26ed4cb25d125efe79dd6a84f

SHA256
a1947219619010d451fcaa95048a95cc81eafee2ff35f232920d9526ed276206

SHA512
4419c2aee5e813fbb4182b926d12b688a41ebab6135ee6bffbe253462778b1e1a2ef2621fbbb65160d7a1d49a979613ae1c01aaf959574ad6d66f143645bf43e

Download Submit
C:\Windows\dev1BDA.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2000-25-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2000-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2368-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-7-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2864-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads