5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5

General

Target

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
Size

661KB
MD5

69715a3737689f3af82dc9fe678daeaa
SHA1

10cec059bb7fc0a6aadf00c7e5c67c642d1115dc
SHA256

5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5
SHA512

752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca
SSDEEP

12288:faWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8ri6a:CaHMv6CorjqnyC8r2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2300 svchost.exe
2788 svchost.exe

pid	process
2300	svchost.exe
2788	svchost.exe

Loads dropped DLL 4 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe

pid	process
1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2392-0-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
\Users\Admin\AppData\Roaming\svchost.exe	autoit_exe
behavioral1/memory/2300-28-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 2392 set thread context of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2300 set thread context of 2788	2300	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exesvchost.exe

pid process

1960 69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
2788 svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 2392 wrote to memory of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2392 wrote to memory of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2392 wrote to memory of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2392 wrote to memory of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2392 wrote to memory of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 2392 wrote to memory of 1960	2392	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
PID 1960 wrote to memory of 2300	1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 1960 wrote to memory of 2300	1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 1960 wrote to memory of 2300	1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 1960 wrote to memory of 2300	1960	69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe	svchost.exe
PID 2300 wrote to memory of 2788	2300	svchost.exe	svchost.exe
PID 2300 wrote to memory of 2788	2300	svchost.exe	svchost.exe
PID 2300 wrote to memory of 2788	2300	svchost.exe	svchost.exe
PID 2300 wrote to memory of 2788	2300	svchost.exe	svchost.exe
PID 2300 wrote to memory of 2788	2300	svchost.exe	svchost.exe
PID 2300 wrote to memory of 2788	2300	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69715a3737689f3af82dc9fe678daeaa_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\svchost.exe
Filesize
661KB

MD5
69715a3737689f3af82dc9fe678daeaa

SHA1
10cec059bb7fc0a6aadf00c7e5c67c642d1115dc

SHA256
5478b2ab4bda3cafc824665cd1a7dafa6d9111aa5728d99b1af1a6012fea68d5

SHA512
752c3cb7802fff37d165251a420d16f9a211e692e04e3c20794e5b2c82619e11ab3f6858642313bb32ae4effd4a7f2ad8f4ca34b298d31fff5dd10b6417f08ca

Download Submit
memory/1960-3-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1960-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1960-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1960-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1960-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2300-28-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2392-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads