229b3c41146d8b0d604778a31e66ce0f26f2795dd64a61e7bf7861e40ff9943e

General

Target

8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe
Size

662KB
MD5

8d52ee97a5ba70895cf933aecfdea223
SHA1

95778870729ea1b116d84742569ef7a88d706b52
SHA256

229b3c41146d8b0d604778a31e66ce0f26f2795dd64a61e7bf7861e40ff9943e
SHA512

12f7483a8770ab75c66f5ffbca8d582436463309eb426bebbf06e0afa51fad40d917bbec9a7923a2fcbe9730ea34afcbe8244915315be01544a65629c8be76f3
SSDEEP

12288:x37h6cT888888888888W88888888888zO+Lp36Ado8YUoYBWzWgdutXsdTgKjtjv:V7h/eb6WzWgduyJgKjTbOV6+YPF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4528	adinstall.exe
3780	adinstall.tmp
4312	metablogagent.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MetablogNewIssues = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\MetablogNewIssues.exe /byboot"	adinstall.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metablogagent = "C:\\Users\\Admin\\AppData\\Local\\MetablogNewIssues\\metablogagent.exe"	adinstall.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3416	8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe
4312	metablogagent.exe
4312	metablogagent.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4528	3416	8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe	81
PID 3416 wrote to memory of 4528	3416	8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe	81
PID 3416 wrote to memory of 4528	3416	8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe	81
PID 4528 wrote to memory of 3780	4528	adinstall.exe	82
PID 4528 wrote to memory of 3780	4528	adinstall.exe	82
PID 4528 wrote to memory of 3780	4528	adinstall.exe	82
PID 3780 wrote to memory of 4312	3780	adinstall.tmp	87
PID 3780 wrote to memory of 4312	3780	adinstall.tmp	87
PID 3780 wrote to memory of 4312	3780	adinstall.tmp	87

C:\Users\Admin\AppData\Local\Temp\8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d52ee97a5ba70895cf933aecfdea223_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe
  C:\Users\Admin\AppData\Local\Temp\\adm\adinstall.exe /VERYSILENT /SUPPRESSMSGBOXES
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\is-21L58.tmp\adinstall.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-21L58.tmp\adinstall.tmp" /SL5="$70178,257361,138240,C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe" /VERYSILENT /SUPPRESSMSGBOXES
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe
      "C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe" /install
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MetablogNewIssues\metablogagent.exe

Filesize
126KB

MD5
0fcab5303210e2738b72b668cbfc2dbc

SHA1
d809593e9257cd54f137eac5c7a75bb7a62cd0cf

SHA256
f974e8b4795bee8c266df1bf4b0c2cd5221cdf34ad4ae7abee990387dabaab2c

SHA512
82145163d0952322889e1352d28b8c89b15ed5aab8c69ebc6d73385e596dff517b22fc08de6d570894e04a5ac0f9a34db9841b9c449e74788061abaaaeb73ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\adm\adinstall.exe

Filesize
633KB

MD5
33d11073d2d938140fb7b55c4f34ca6f

SHA1
8614bee9fd99ab4334c92d84c32b72199fccbdf1

SHA256
4e8f8b74a985caf357a75f77ad81b56ff645f4bdc418977dc2ecf21738d1125e

SHA512
0be05b910b661081d2e2f891d60bc68fbb2d47558f273864b3bb0c45761b662738c84e876a0ac8f64162a13262d2e60d98322ee944091eb7aacb7f1d8e291210

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-21L58.tmp\adinstall.tmp

Filesize
1.1MB

MD5
ef4643fb82df32a3d7fa4c8739c7006b

SHA1
d2c7e71f33fb1c751946a42bf409e36a9ecb54e9

SHA256
974700947c38a03e00e60fbcdb7c1132e8900a16ece8d3a6943458b230248abc

SHA512
db3f1e0650f9708a27eb7171438a89b7f70624a6de22e6a5bc98ccf33e27cc0419f0ec589c03abe2b6c0ecaa46cfccd9f747bebd4e5d78d34148866e101ed51c

Download Submit
memory/3780-11-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3780-32-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/4528-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4528-7-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4528-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads