bc41f0e4a7a4b43588687c1b984c38508f3d016dc8e50eba11eeab93074684ea

General

Target

05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
Size

50KB
MD5

05223c65fc4494ab73cdb5897b85c477
SHA1

87496f4d9d87e1e7e52604de5160ade8028cbedf
SHA256

bc41f0e4a7a4b43588687c1b984c38508f3d016dc8e50eba11eeab93074684ea
SHA512

f0cc9ce156d8b1abe3259ee28db074c3970fc831dbd5a8ec80f76b32226bd83ccf6af1a922fc1c8ff39734cb8e552d0673d7fa3ba6054507ff99b3ab7f722151
SSDEEP

768:4VRKzy/Y42LSsbj5M35wh6EDn8pt1+BC3ffng+YctRHmuB1CP1cRWhmYzLgy/U:SRIypbGM3igEWt2ag+/dFCCWhFjM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	Svchosts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchosts.exe = "C:\\Windows\\Svchosts.exe"	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Svchosts.exe	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
File created	C:\Windows\WinSoft3.DLL	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
File created	C:\Windows\Svchosts.exe	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	Svchosts.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	Svchosts.exe
2032	Svchosts.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2032	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2032	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2032	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2032	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2636	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2636	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2636	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	29
PID 1992 wrote to memory of 2636	1992	05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05223c65fc4494ab73cdb5897b85c477_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Svchosts.exe
  C:\Windows\Svchosts.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deleteme.bat

Filesize
212B

MD5
1c9bf3151ca898f4da83c9ce71e63ec3

SHA1
e3fb448179f20f5ce211b6380405981fd5c775d1

SHA256
da88d35743424746ccff818aa03ad353ea29a36b6dc59d58908b158537f417f0

SHA512
669bcd6496fdb9bf0a9786324157cb4c4faad9a9d3f196945ffada3a10437c1df95dc55dbfa3313acc55ec7ea6b75f103e9c4c884b5c51ccd215d190998ec970

Download Submit
C:\Windows\Svchosts.exe

Filesize
50KB

MD5
05223c65fc4494ab73cdb5897b85c477

SHA1
87496f4d9d87e1e7e52604de5160ade8028cbedf

SHA256
bc41f0e4a7a4b43588687c1b984c38508f3d016dc8e50eba11eeab93074684ea

SHA512
f0cc9ce156d8b1abe3259ee28db074c3970fc831dbd5a8ec80f76b32226bd83ccf6af1a922fc1c8ff39734cb8e552d0673d7fa3ba6054507ff99b3ab7f722151

Download Submit
C:\Windows\WinSoft3.DLL

Filesize
49KB

MD5
e3e15c1c3aab1b0a44f1d6cdff200cd2

SHA1
66645f30ffcabf79de9728ce58835954b42d3149

SHA256
281e14f009ff1e3b40b163bd449186ae1f4a04ac8f340347e17cb3b933982a00

SHA512
24e994d3722a3db534278753eb7d0db6b6c17503802a909b12bfe5d6f9399d38990686849136cf9dbcf83b966ea7a825071a5c02ee2b88404dbcec92673943f8

Download Submit
memory/1992-10-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1992-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1992-11-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1992-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-3-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-17-0x0000000000220000-0x0000000000320000-memory.dmp

Filesize
1024KB

Download
memory/2032-16-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2032-27-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2032-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads