5dc75dcf46e08b693a2cc84e7f6325011e53f0d0fcdb1f34927d42c3f9310f8c

General

Target

0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe
Size

106KB
MD5

0c098ca6abdb40468fc4165239d6e386
SHA1

4dbdecdf5bd571b46604fb0e330ff5387476d01d
SHA256

5dc75dcf46e08b693a2cc84e7f6325011e53f0d0fcdb1f34927d42c3f9310f8c
SHA512

7974c5b2756796e2bed26ef5e0eb7e60b4b61041785c25cfba912e696064140a4f359a0312251135be3e4586970d937e8aa3238d873a36b6a3026a2214b013f9
SSDEEP

1536:VlXX5EfNoRb7Kh+rjNu0A98FyK2GA3QY7tFyHgsQVDV3fkKfw2OoQNzkOZv:D58Si+rjNu0K8F9nAAknkKfw2FQNz1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2856	sz.exe

Loads dropped DLL 10 IoCs

pid	Process
1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe
1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hruwolimar = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Nlerynti.dll\",Startup"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msapps\comsrvr.exe	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2856	1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2856	1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2856	1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2856	1992	0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe	28
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2856 wrote to memory of 2612	2856	sz.exe	29
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30
PID 2612 wrote to memory of 2396	2612	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c098ca6abdb40468fc4165239d6e386_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\sz.exe
  C:\Users\Admin\AppData\Local\Temp\sz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Nlerynti.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Nlerynti.dll",iep
      4⤵
      Loads dropped DLL
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Nlerynti.dll

Filesize
72KB

MD5
0cbcc8dd0f3a69809b6cfc269bcbe6a2

SHA1
f2140c27135639de6f5fda2e58f98abd2df3d959

SHA256
748d546f3e042a1cdf0ecf3cfab4f39a4dd59a21182ba1b72c00d32d19d4c47a

SHA512
84ae27ab1c3caf0e67e2632bf8516e91125d059b769efada8792cf17fe325ee3ee1c4e29c9ab4971b2976bf9d0ce493af32fe41200edb30b342f6640eb7429ae

Download Submit
\Users\Admin\AppData\Local\Temp\sz.exe

Filesize
72KB

MD5
27d29b640a0351167a5e1c2f3934e15c

SHA1
42e00978c09bec164cd3e07604df245a63f21702

SHA256
7e234f9a6bbcddae144fc094c9588960a9d6e07d9789e26722c59f2d96c10570

SHA512
dca6aeb2ac229b03c7dcdd9b45bbd74033fba19de96a95a522d015dd279ac0c3a60f690ea50d6be82805d36acf3bee94c9eff9b889bb1ee3ab789d145e2684b8

Download Submit
memory/2396-38-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2396-45-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2396-44-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2396-41-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2396-37-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2612-20-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2612-24-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2612-29-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/2612-36-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2612-22-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/2612-21-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/2612-40-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2856-23-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2856-27-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2856-28-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2856-11-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2856-9-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/2856-10-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads