8e9f4c6251508727180d21e1d64d0b7a696b21488cf54b46e1d9c7b32e464c5d

General

Target

f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
Size

538KB
MD5

f75512b37469cc341820acaf93821ce4
SHA1

2852c6889718fbc5b60c49869d2c0aa284a80741
SHA256

8e9f4c6251508727180d21e1d64d0b7a696b21488cf54b46e1d9c7b32e464c5d
SHA512

4b8ccb04d822951ba72d85a31357a6cde1e7ca7a65b2569306a6d99da213e024140afc3a99efa4f9374c5e3d5d8b2c7d92deeeccbe4f7c1df8e18f9c4008ef9f
SSDEEP

12288:wlbg+41gL5pRTcAkS/3hzN8qE43fm78VE:Wbg+N5jcAkSYqyEE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1452	MSWDM.EXE
624	MSWDM.EXE
1200	F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE
2456	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev3B24.tmp	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
File opened for modification	C:\Windows\dev3B24.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
624	MSWDM.EXE
624	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1452	5096	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	85
PID 5096 wrote to memory of 1452	5096	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	85
PID 5096 wrote to memory of 1452	5096	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	85
PID 5096 wrote to memory of 624	5096	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	86
PID 5096 wrote to memory of 624	5096	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	86
PID 5096 wrote to memory of 624	5096	f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe	86
PID 624 wrote to memory of 1200	624	MSWDM.EXE	87
PID 624 wrote to memory of 1200	624	MSWDM.EXE	87
PID 624 wrote to memory of 2456	624	MSWDM.EXE	89
PID 624 wrote to memory of 2456	624	MSWDM.EXE	89
PID 624 wrote to memory of 2456	624	MSWDM.EXE	89

C:\Users\Admin\AppData\Local\Temp\f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5096
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1452
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3B24.tmp!C:\Users\Admin\AppData\Local\Temp\f75512b37469cc341820acaf93821ce4_JaffaCakes118.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Users\Admin\AppData\Local\Temp\F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3B24.tmp!C:\Users\Admin\AppData\Local\Temp\F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F75512B37469CC341820ACAF93821CE4_JAFFACAKES118.EXE

Filesize
538KB

MD5
02818e3e0dbc617c1af76e8035ef56f8

SHA1
97367d061f984ece733ed3d2047d057d0673ebf5

SHA256
96a9ad7ff5c0b0a2f5ca2e45b5719b7118a9bb46f9dfa69bf4e783a730d2d986

SHA512
b89c692fe2fab97a493b26fd8d634e84ab2dbc93d9cf2c75e700293c2e8c75373c067a0b91598565744923b2867418d6fecd339ab582baac015b21d1f9a98d2c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
128781d073b135af1412859af64352d9

SHA1
0608a1851f69bda26ed4cb25d125efe79dd6a84f

SHA256
a1947219619010d451fcaa95048a95cc81eafee2ff35f232920d9526ed276206

SHA512
4419c2aee5e813fbb4182b926d12b688a41ebab6135ee6bffbe253462778b1e1a2ef2621fbbb65160d7a1d49a979613ae1c01aaf959574ad6d66f143645bf43e

Download Submit
C:\Windows\dev3B24.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/624-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/624-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1452-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2456-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5096-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5096-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads