32224d8ce9b9eac3e7af9ce9a43dabf9580d93947ceb00f69c82d1c49a12f512

General

Target

04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe
Size

491KB
MD5

04eb80dd59dd7ebe739b61cdfc6662c0
SHA1

d900163f1fc7fbd62b1720af9f7c100ae351ace5
SHA256

32224d8ce9b9eac3e7af9ce9a43dabf9580d93947ceb00f69c82d1c49a12f512
SHA512

b252ace8fb1ac3ce786b82caedb64d430619c110b1d04f2ec1cd521a68f432527dd55692bfbc7b00358161760ef1767d561a221f764f1136024cc5f442197ea9
SSDEEP

6144:u9tsz0ctIHFxQ/cKrL+i8HeRg7cQldsD7tLAB8:u6NtIPQ/rutgQlutI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	6Do7DvHPUDWiNAK.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	6Do7DvHPUDWiNAK.exe
2520	6Do7DvHPUDWiNAK.exe

Loads dropped DLL 5 IoCs

pid	Process
2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe
2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe
2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe
2648	6Do7DvHPUDWiNAK.exe
2520	6Do7DvHPUDWiNAK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\u7LhcRSuihkYwJY = "C:\\ProgramData\\CV1pzRpTLPTHjs\\6Do7DvHPUDWiNAK.exe"	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 2648 set thread context of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2520 set thread context of 2660	2520	6Do7DvHPUDWiNAK.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2224	1992	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2648	2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2648	2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2648	2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2648	2224	04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe	29
PID 2648 wrote to memory of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2648 wrote to memory of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2648 wrote to memory of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2648 wrote to memory of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2648 wrote to memory of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2648 wrote to memory of 2520	2648	6Do7DvHPUDWiNAK.exe	30
PID 2520 wrote to memory of 2660	2520	6Do7DvHPUDWiNAK.exe	31
PID 2520 wrote to memory of 2660	2520	6Do7DvHPUDWiNAK.exe	31
PID 2520 wrote to memory of 2660	2520	6Do7DvHPUDWiNAK.exe	31
PID 2520 wrote to memory of 2660	2520	6Do7DvHPUDWiNAK.exe	31
PID 2520 wrote to memory of 2660	2520	6Do7DvHPUDWiNAK.exe	31
PID 2520 wrote to memory of 2660	2520	6Do7DvHPUDWiNAK.exe	31

C:\Users\Admin\AppData\Local\Temp\04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\04eb80dd59dd7ebe739b61cdfc6662c0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\ProgramData\CV1pzRpTLPTHjs\6Do7DvHPUDWiNAK.exe
    "C:\ProgramData\CV1pzRpTLPTHjs\6Do7DvHPUDWiNAK.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\ProgramData\CV1pzRpTLPTHjs\6Do7DvHPUDWiNAK.exe
      "C:\ProgramData\CV1pzRpTLPTHjs\6Do7DvHPUDWiNAK.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe" /i:2520
        5⤵
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\CV1pzRpTLPTHjs\6Do7DvHPUDWiNAK.exe

Filesize
491KB

MD5
04eb80dd59dd7ebe739b61cdfc6662c0

SHA1
d900163f1fc7fbd62b1720af9f7c100ae351ace5

SHA256
32224d8ce9b9eac3e7af9ce9a43dabf9580d93947ceb00f69c82d1c49a12f512

SHA512
b252ace8fb1ac3ce786b82caedb64d430619c110b1d04f2ec1cd521a68f432527dd55692bfbc7b00358161760ef1767d561a221f764f1136024cc5f442197ea9

Download Submit
memory/1992-0-0x0000000074CD1000-0x0000000074CD2000-memory.dmp

Filesize
4KB

Download
memory/1992-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2224-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2224-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2224-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2224-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-9-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2224-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2224-27-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2224-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2520-53-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2520-41-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2520-55-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2648-37-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2648-40-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2648-30-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2660-58-0x0000000074CC0000-0x0000000074DD0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads