38ea48eceb9210175fc1240575781eee7918a948a19fa564f46504b272546f1c

General

Target

68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
Size

212KB
MD5

68fc74296394014e6e5a5e01d1e00d51
SHA1

e2b591f3dccae712443f93224a9a4df35904764c
SHA256

38ea48eceb9210175fc1240575781eee7918a948a19fa564f46504b272546f1c
SHA512

8812d285ba46a4ef0787d2bf621c67d1149ac7ff5edb9e51ab9e5063371e87eda46cf36122bff2d808f81c9e3a9ee54d1a91e33eec5007f36cfcda8adbe821d8
SSDEEP

3072:MuYbXKyoI/CmBeDO8uly0AsU6+1UaXvzb+O0ojnE7FOQ6GDF:MucXKyfeuhvU6YOO0ojnEd

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winsvc.exe

pid process

2480 winsvc.exe

pid	process
2480	winsvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Windows\\T-740470504057570408\\winsvc.exe"	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service = "C:\\Windows\\T-740470504057570408\\winsvc.exe"	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\T-740470504057570408	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
File created	C:\Windows\T-740470504057570408\winsvc.exe	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
File opened for modification	C:\Windows\T-740470504057570408\winsvc.exe	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4748 380 WerFault.exe 68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
2096 2480 WerFault.exe winsvc.exe

pid	pid_target	process	target process
4748	380	WerFault.exe	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
2096	2480	WerFault.exe	winsvc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exewinsvc.exe

pid	process
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe
2480	winsvc.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

pid	process
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe

description	pid	process	target process
PID 380 wrote to memory of 2480	380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe	winsvc.exe
PID 380 wrote to memory of 2480	380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe	winsvc.exe
PID 380 wrote to memory of 2480	380	68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe	winsvc.exe

C:\Users\Admin\AppData\Local\Temp\68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68fc74296394014e6e5a5e01d1e00d51_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\T-740470504057570408\winsvc.exe
C:\Windows\T-740470504057570408\winsvc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 512
3⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 588
2⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 380 -ip 380
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2480 -ip 2480
1⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\T-740470504057570408\winsvc.exe

Filesize
212KB

MD5
68fc74296394014e6e5a5e01d1e00d51

SHA1
e2b591f3dccae712443f93224a9a4df35904764c

SHA256
38ea48eceb9210175fc1240575781eee7918a948a19fa564f46504b272546f1c

SHA512
8812d285ba46a4ef0787d2bf621c67d1149ac7ff5edb9e51ab9e5063371e87eda46cf36122bff2d808f81c9e3a9ee54d1a91e33eec5007f36cfcda8adbe821d8

Download Submit
memory/380-1-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/380-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/380-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2480-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads