422761e08cf27ba9b64e8a51de87180d746495957d625729e0969384448b64f5

General

Target

0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe
Size

209KB
MD5

0bd350ded27262bc1bcfcb78a396d8d4
SHA1

f59aef3de732fa80e05c987af50dfb270dd23ecb
SHA256

422761e08cf27ba9b64e8a51de87180d746495957d625729e0969384448b64f5
SHA512

08879caba5510ff00cb1d5b4940de36653b8345d13bfc24351e3973a4701b87c2c8f776da4e9c0e6acf1bab60c26fe2cbff6f637c8a9dbe69b9c4221ff4a01d6
SSDEEP

6144:74VUVK1pQYsbgVqmCit8l+Fuj9v7DcY44:EVWADVJR8lXtDcr

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Metropolis = "rundll32.exe C:\\Windows\\system32\\sshnas21.dll,GetHandle"	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sshnas21.dll	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe
2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe
2948	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28
PID 2780 wrote to memory of 2948	2780	0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bd350ded27262bc1bcfcb78a396d8d4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\sshnas21.dll,GetHandle
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sshnas21.dll

Filesize
170KB

MD5
c43f77999312cfd51510f12e19ed23a2

SHA1
fdfcec356c29c75e6f7124272f417650f3550152

SHA256
8f60f43a88be9e1c2daf3ff0804c55570f46f101a1e43f06c3dd1b54960983f4

SHA512
deb5fcd3ea4af04287849c6f0dc6a2af58678d32b624a50f3622b37bae5d71dc783e319df9e3c638d8394295cbe9af2d74aad32459f8783ebf4580e433834e01

Download Submit
memory/2780-0-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2780-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2780-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2780-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2948-20-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-22-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-17-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-18-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-19-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-15-0x0000000000200000-0x000000000021C000-memory.dmp

Filesize
112KB

Download
memory/2948-21-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-16-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-23-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-24-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-25-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-26-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-27-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-28-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-29-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2948-30-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads