0592fd7640b20937bb288c44e06d924daa1e3397f55b54440a7c12e7979d8e48

General

Target

0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe
Size

598KB
MD5

0fdf328426ecf86ef63b76949fd208fc
SHA1

4e1c12e0108a6e82ab112e618cd1cde5eb04cbf2
SHA256

0592fd7640b20937bb288c44e06d924daa1e3397f55b54440a7c12e7979d8e48
SHA512

4b669582aece23c54c95b3cb5e4f077849e13e4b2aff323a010fa4f0a7aa0d025feadeb76385857a0269c5730877ccc3cdbec529d2fad915efcedea013871f08
SSDEEP

6144:twwD6UiF6ojFnFeVZLHrwwDgUiF6ojFnFeVZL8+nOj0FZOUxku0GzTVowvYy:mC44UefsCu4UefFVXTmRy

Score

10^/10

evasion persistence

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
283105420

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	REG.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	server.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	server.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Program Files"	server.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	server.exe
File created	C:\autorun.inf	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2696	REG.exe
2664	REG.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2876	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2556	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2556	2784	0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe	28
PID 2784 wrote to memory of 2556	2784	0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe	28
PID 2784 wrote to memory of 2556	2784	0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe	28
PID 2784 wrote to memory of 2556	2784	0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe	28
PID 2556 wrote to memory of 2696	2556	server.exe	30
PID 2556 wrote to memory of 2696	2556	server.exe	30
PID 2556 wrote to memory of 2696	2556	server.exe	30
PID 2556 wrote to memory of 2696	2556	server.exe	30
PID 2556 wrote to memory of 2664	2556	server.exe	31
PID 2556 wrote to memory of 2664	2556	server.exe	31
PID 2556 wrote to memory of 2664	2556	server.exe	31
PID 2556 wrote to memory of 2664	2556	server.exe	31

C:\Users\Admin\AppData\Local\Temp\0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:2696
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2664

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\resim.jpg

Filesize
31KB

MD5
e7d3f8a928cc098e146460f247bc6837

SHA1
eb576d3784dcc8e68d5d9de19eb6428b83fd9393

SHA256
0243383d0a2bbfd382a170bb6c5c3bf04153070ea66806a1794827ecfc840e7a

SHA512
bf2e6a4170e2d8e9b5ae5b68dbe6a24aa6834c0481734abef32212bb7911abc9b43080ef65f88741461b5e03c11305f6dbde71abb7be589ee814d32309e243df

Download Submit
C:\Users\Admin\AppData\Local\Temp\temples32\ekran\10105159.jpg

Filesize
67KB

MD5
e91e6561175af128ebfccd427aee06c6

SHA1
c958491b3f75e8d51660d343f81912f1303c0f0c

SHA256
47da3007540023290aa55860fba30c1acbb69c1d59f65a360615e96d40d10a08

SHA512
894bf22a7237bf3043a54a7aa7fad070860eca89e057e33ac51f6e134ee240d7f22edba9ab5283fe8ae9131b64a7331b0ae7031c215e787db580de26dcd33bdf

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
173KB

MD5
268bdd9f14e2b1934b7a1125b35e74fe

SHA1
aceda13e816b22bc199aeb222936985d7a8ee019

SHA256
f62a1a51e02d31e99b7cf2612067e7f16070ef6877cbd5bd1dd18108bb3c9250

SHA512
4b2c5b213bba1b169b8de4cf36f733ca4ab4640d7323b0057a5d6b92001e45456d36d773e757ee37d8c9d86040999f461f539790c4f4135cf317a45aa44c6ade

Download Submit
memory/2784-0-0x0000000074EC1000-0x0000000074EC2000-memory.dmp

Filesize
4KB

Download
memory/2784-1-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-2-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-17-0x0000000000E40000-0x0000000000E42000-memory.dmp

Filesize
8KB

Download
memory/2784-19-0x0000000074EC0000-0x000000007546B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-18-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads