5530f88666bfe7612b55cad4296c1fda8fff802d215ba4b3e28493083c6448bc

General

Target

000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
Size

63KB
MD5

000a31a1845bc21c080793e385c71f3e
SHA1

74297ca6f9a1944f96e04aa9a4f83e7befa2e2e2
SHA256

5530f88666bfe7612b55cad4296c1fda8fff802d215ba4b3e28493083c6448bc
SHA512

bbbd6c0dbd8c0a29cf30c38f87ae2fcc885522ff6f727c85b1954b9578ec81743eec56ac1e3ba5250e675c687993787676b9eda886ca2b5d2bfac4ba84396642
SSDEEP

1536:1X0p5M1OKp54+lRkd9l8LXmPhhc+UZKtv4oN/ASfMkwdXs2:F04zoLlUUcDItvR6SfMkwdc2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2512	servicio.exe
2656	servicio.exe

Loads dropped DLL 3 IoCs

pid	Process
2832	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
2832	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
2512	servicio.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\servicio.exe"	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Service = "servicio.exe"	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\servicio.exe"	servicio.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 2512 set thread context of 2656	2512	servicio.exe	30

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
2512	servicio.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 1464 wrote to memory of 2832	1464	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	28
PID 2832 wrote to memory of 2512	2832	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2512	2832	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2512	2832	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	29
PID 2832 wrote to memory of 2512	2832	000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30
PID 2512 wrote to memory of 2656	2512	servicio.exe	30

C:\Users\Admin\AppData\Local\Temp\000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\000a31a1845bc21c080793e385c71f3e_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\servicio.exe
    "C:\Users\Admin\AppData\Local\Temp\servicio.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\servicio.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\servicio.exe

Filesize
63KB

MD5
000a31a1845bc21c080793e385c71f3e

SHA1
74297ca6f9a1944f96e04aa9a4f83e7befa2e2e2

SHA256
5530f88666bfe7612b55cad4296c1fda8fff802d215ba4b3e28493083c6448bc

SHA512
bbbd6c0dbd8c0a29cf30c38f87ae2fcc885522ff6f727c85b1954b9578ec81743eec56ac1e3ba5250e675c687993787676b9eda886ca2b5d2bfac4ba84396642

Download Submit
memory/1464-5-0x0000000000230000-0x0000000000251000-memory.dmp

Filesize
132KB

Download
memory/1464-0-0x0000000000400000-0x0000000000420600-memory.dmp

Filesize
129KB

Download
memory/1464-17-0x0000000000400000-0x0000000000420600-memory.dmp

Filesize
129KB

Download
memory/2512-53-0x0000000000400000-0x0000000000420600-memory.dmp

Filesize
129KB

Download
memory/2512-31-0x0000000000400000-0x0000000000420600-memory.dmp

Filesize
129KB

Download
memory/2656-61-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-70-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-69-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-68-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-67-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-66-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-64-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-60-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-58-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2656-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-3-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-37-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-29-0x00000000004C0000-0x00000000004E1000-memory.dmp

Filesize
132KB

Download
memory/2832-30-0x00000000004C0000-0x00000000004E1000-memory.dmp

Filesize
132KB

Download
memory/2832-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-14-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-6-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-10-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads