0c093958610a3bbe30adc07401c185c44df396d35610b8f92e640e267acee176

General

Target

0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe
Size

196KB
MD5

0ed98a3cebdfad526ab344275929e8e6
SHA1

28de999c21d6cf893e43d4d2fc07b6c9db788754
SHA256

0c093958610a3bbe30adc07401c185c44df396d35610b8f92e640e267acee176
SHA512

78a30f30dd0b62fc62aa7332380aeaa66c0a9364cd7cdc264b999b010ed18235023aaf8b9f46d27f3635307c00849dea71b56a82cff4c612d3b13165f8b62650
SSDEEP

1536:UmSplFCH4dUzlxNmoYB0qxFKebO3XNH1R2TgRiR04RzPYrftlnJKNUj:UmUXDdaNmoYuWNwHQ8y04Wr/JKNA

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\""	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\""	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2944 set thread context of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe
2716	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2024 wrote to memory of 2944	2024	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2716	2944	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	29
PID 2716 wrote to memory of 1348	2716	0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0ed98a3cebdfad526ab344275929e8e6_JaffaCakes118.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: RenamesItself
      Suspicious use of WriteProcessMemory
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ghfr7a1safMB6xI45.tmp

Filesize
3KB

MD5
e7b1e53cd661f76799a10cb63978c30a

SHA1
11c2dd43e19e97696c8e5128417fd67985149644

SHA256
56b67faa87b0fa3f7d4f0d92b422827f9afab5ebafe9ee2c4dff4970be6a6700

SHA512
054a10012dbf5e612af99d6a16817a725ed4340978af0d83937ed1ef5d7bf721167abf34342b4bd6f5417376953952aa406abc6670af6656312948e561d70246

Download Submit
memory/2024-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2024-20-0x00000000002D0000-0x00000000002F9000-memory.dmp

Filesize
164KB

Download
memory/2716-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-50-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-48-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-49-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2716-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2944-37-0x00000000003B0000-0x00000000003D9000-memory.dmp

Filesize
164KB

Download
memory/2944-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-22-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2944-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads