9cb138fed16da0d232bdbdbfe3c5371bd8cfc0936b9b542ab5e91469a88636f8

General

Target

65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
Size

145KB
MD5

65807e9ed484ad3679db1be1f0b83bd0
SHA1

34625889ad69d2552b141606e5e97ba3649bafcf
SHA256

9cb138fed16da0d232bdbdbfe3c5371bd8cfc0936b9b542ab5e91469a88636f8
SHA512

92f8610e8d4c04aa43c20f3a55a159ff0e135e4f0d829a08642f09a063149c88c441786392c799df78566ecb4bfce7cf93ef392841bda99ca1725e2d7f139af4
SSDEEP

3072:jmVW8iTX/3RfldjjXq1+0cxxsWEL02fXcIp08MoevQfom:aM7jJlRexYTHYZMof

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe

Drops file in System32 directory 33 IoCs

Processes:

65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babe leading pussy-whipped stud around by her cunt.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\naturaly tan babe with gorgous body.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\bottle blonde tramp sucking a dick dry.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sister and brother gettin' freaky .mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\ebony girl with massive hooters.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\babes with oversized hooters spreading.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\cute teen with her hole spread wide open.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\cute teen fingering herself on the sofa.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Two girls - Blonde and Brunette - Giving head.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\two kinky old lezbos snapping the whip.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\action with three chicks getting it on with a guy.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\trailor tramp pissing for you.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\virtua girl - adriana.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\hairy lezzies torching it up with hot candles.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\hot mature blonde in stockings.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\gay guy with a screwing machine.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\illgal incest preteen porn cum.mpg.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sexy hot teens gettin busy in shower.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\blonde on couch gettin tight anal fucking.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\happy babe who got 12 inches last night.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\hot butt sex ..unbeliveable.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\redhead getting a group facial at a wild party.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\3 teen blonde babes chin deep in pussy sauce.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\horny ass licking lesbians.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\sluty cock sucking chick.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\kinky banana in pussy.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Grand theft auto 3 CD1 crack.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\Yahoo mail cracker.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\movie of mom who whip hot ass on daughter's big cock lover.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\hot actress heather graham naked.mpg.pif	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe	65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65807e9ed484ad3679db1be1f0b83bd0_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:8
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe

Filesize
73KB

MD5
ea86eec9d14e7ecf0f7eea3b7834c7c8

SHA1
10fe6a6646963b76712d887e77a99bb1f94a1487

SHA256
52856fe0671072716e385b7950fe9c620ab1ad46c444f89b4d4a8b67b6afb01b

SHA512
f9821dd8ca51658c467686e6608b66a6d01327695e7e05c5babd831ca00009ba03b9075b0c12f477d2e7bd30e40820593ae576e386405775655d1494b0722d82

Download Submit
memory/2732-33-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads