0c7b9568523ef7d404acc23a8de9ef789e772f97809aa5ccda8f6ea9ec8fd2ad

General

Target

0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe
Size

273KB
MD5

0646e2421f3a63c98770c935861d5f40
SHA1

b647d050bad1ef9aab1d356f161dd084fa4948a3
SHA256

0c7b9568523ef7d404acc23a8de9ef789e772f97809aa5ccda8f6ea9ec8fd2ad
SHA512

a6f82d7388aabe2a80361de844bfb324863d2baf65a9cd2857f993c3a960f36fb3c84a07c83d79d778a220ed258144642667b2d0362747d26a99ba6a0c33e979
SSDEEP

3072:aESJj+qJS6WehSHl9vEpMulJSBoZ4UhUGkeXg8Ab+yqdDCknGyjlvF57OOooo/M4:aE5HZ6SuPZ4XGAbIdHGYvGxtEA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	server.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe
3000	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	server.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2992	3000	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2992	3000	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2992	3000	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2992	3000	0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe	28
PID 2992 wrote to memory of 1360	2992	server.exe	21
PID 2992 wrote to memory of 1360	2992	server.exe	21
PID 2992 wrote to memory of 1360	2992	server.exe	21
PID 2992 wrote to memory of 1360	2992	server.exe	21
PID 2992 wrote to memory of 1360	2992	server.exe	21
PID 2992 wrote to memory of 1360	2992	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0646e2421f3a63c98770c935861d5f40_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
63KB

MD5
daf06a1e22703e46893b94147f52c5aa

SHA1
54f152e20a2ca5fcbb23419fe4b1a72063cb20c3

SHA256
2dca6749a6c8a0fb47b0c8168f5e59077c52d469a765f7371ce2574a197e58e8

SHA512
f00fd465a3d464d6c202e7e1b88574bdb325e9df8b717e2146b7e5b9a0c951e3de782a4bea3486bdee40ff473715b02a4aaddc90e856c0760684f072e38dc142

Download Submit
memory/1360-31-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

Filesize
24KB

Download
memory/1360-25-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/2992-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3000-10-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/3000-15-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-0-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/3000-11-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/3000-12-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-18-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/3000-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/3000-44-0x0000000001000000-0x000000000102B000-memory.dmp

Filesize
172KB

Download
memory/3000-45-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads