f4ab1818af8ebd8e5b6763243fefa96c86db69c62f00cb564198ff6149a4e10b

General

Target

63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe
Size

496KB
MD5

63f020fdd37d5fbbd716dc5e43d8dbae
SHA1

1fb907f9202dee3b00adfe43f41dc4772d8572d1
SHA256

f4ab1818af8ebd8e5b6763243fefa96c86db69c62f00cb564198ff6149a4e10b
SHA512

5af616252f2a6fd1db1d84804725ad90ec28ae113ee2f5c10d5c6529a10a119f45a10621c93df3f10497d014c2e9a2474e551cfd2080bbd16ecc74a97d11ef31
SSDEEP

12288:545fonA3GvLnRJAGhfXt+bulIzxbss7fLOR:5A+rFXtMXGzR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe

pid	process
2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
3728	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
1288	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

52 myexternalip.com

flow	ioc
52	myexternalip.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe

description	pid	process	target process
PID 3000 wrote to memory of 2744	3000	63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
PID 3000 wrote to memory of 2744	3000	63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
PID 3000 wrote to memory of 2744	3000	63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe
PID 2744 wrote to memory of 4992	2744	52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\63f020fdd37d5fbbd716dc5e43d8dbae_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SYSTEM32\svchost.exe
svchost.exe -k netsvcs
3⤵
PID:4992

C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
2⤵
PID:1480

C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe
1⤵
- Executes dropped EXE
PID:1288

C:\Windows\system32\svchost.exe
svchost.exe -k netsvcs
2⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winapp\52e010ecc26c4eaac605cb4d32c7caad_IaeeaBajdr007.exe

Filesize
496KB

MD5
63f020fdd37d5fbbd716dc5e43d8dbae

SHA1
1fb907f9202dee3b00adfe43f41dc4772d8572d1

SHA256
f4ab1818af8ebd8e5b6763243fefa96c86db69c62f00cb564198ff6149a4e10b

SHA512
5af616252f2a6fd1db1d84804725ad90ec28ae113ee2f5c10d5c6529a10a119f45a10621c93df3f10497d014c2e9a2474e551cfd2080bbd16ecc74a97d11ef31

Download Submit
memory/1288-83-0x00000000017A0000-0x0000000001A69000-memory.dmp

Filesize
2.8MB

Download
memory/1288-82-0x0000000000E60000-0x0000000000F1E000-memory.dmp

Filesize
760KB

Download
memory/1288-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-61-0x0000000140000000-0x0000000140025000-memory.dmp

Filesize
148KB

Download
memory/2744-33-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2744-21-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2744-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-36-0x0000000002580000-0x000000000263E000-memory.dmp

Filesize
760KB

Download
memory/2744-37-0x0000000002A30000-0x0000000002CF9000-memory.dmp

Filesize
2.8MB

Download
memory/2744-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3000-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3000-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3000-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3000-0-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3728-57-0x0000000000E30000-0x0000000000EEE000-memory.dmp

Filesize
760KB

Download
memory/3728-58-0x00000000016E0000-0x00000000019A9000-memory.dmp

Filesize
2.8MB

Download
memory/3728-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-34-0x000002B6037B0000-0x000002B6037B1000-memory.dmp

Filesize
4KB

Download
memory/4992-26-0x0000000140000000-0x0000000140025000-memory.dmp

Filesize
148KB

Download
memory/4992-25-0x0000000140000000-0x0000000140025000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing