4c181c0b9b17fa72e3d58cbd5193bd9dc147bae4a5708e30bcee0456d5bf2321

General

Target

8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Size

480KB
MD5

8f21322118b88bcd8821b01cacd1eb28
SHA1

483bcd59b517887e38b9bed48fa4a04bde064363
SHA256

4c181c0b9b17fa72e3d58cbd5193bd9dc147bae4a5708e30bcee0456d5bf2321
SHA512

8f73be007a839baca15056db150119f7ae985aa74df81007ac1043cfcbc76e133b355ae51d321c701a11d57fc4502ffbb8f4816b39f0a69aec4a9af0b941f8d8
SSDEEP

6144:wlqL9zmKfFvKhLIF81q6cwdc9FHPQRsGjrNprvL7fnJKqmf3YcI8lWelSbr2oY:kknohMPQRs8BprvPfJKqmPYcI8a21

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3697C5FA-60DD-4B56-92D4-74A569205C16}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA445657-9379-11D6-B41A-00065B83EE53}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3697C5FA-60DD-4B56-92D4-74A569205C16}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\InProcServer32	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA445657-9379-11D6-B41A-00065B83EE53}	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2188	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2192	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2952	2368	8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8f21322118b88bcd8821b01cacd1eb28_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\sogoutsf.ime
  2⤵
  PID:2188
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\sogoutsf.ime
  2⤵
  PID:2192
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\IME\SogouPY\SogouImeBrokerPS.dll
  2⤵
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads