495ae62a0acba8cd23585cf6bbb8e35ca2944c9028816ec66ffe7248f63455e6

General

Target

14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
Size

240KB
MD5

14e9af2b3b387642887c9e545ac248d2
SHA1

0d25004347da456697ef8c4ddbf8e8ecdc606972
SHA256

495ae62a0acba8cd23585cf6bbb8e35ca2944c9028816ec66ffe7248f63455e6
SHA512

590c3b34ff4e7536e673700f4e0b2fdde96a97b0c6f36e0a6387bb24806f16def37625bf62213fd348a14237984193b6b65ba9b9eb0194f0e39df8d65e1be32b
SSDEEP

6144:m8g/7ixgAHtuypsUb+MlLwIPXD5OkkQ4tMZqdQsyBd+ptEs:mzeWildh1wIPXD5OkkQ4uqdQD6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1080	server.exe
2772	server.exe

Loads dropped DLL 6 IoCs

pid	Process
2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
1080	server.exe
2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
2772	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1080	server.exe
1080	server.exe
2772	server.exe
2772	server.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1080	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	28
PID 1080 wrote to memory of 1204	1080	server.exe	21
PID 1080 wrote to memory of 1204	1080	server.exe	21
PID 1080 wrote to memory of 1204	1080	server.exe	21
PID 1080 wrote to memory of 1204	1080	server.exe	21
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2772	2132	14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe	29
PID 2772 wrote to memory of 1204	2772	server.exe	21
PID 2772 wrote to memory of 1204	2772	server.exe	21
PID 2772 wrote to memory of 1204	2772	server.exe	21
PID 2772 wrote to memory of 1204	2772	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14e9af2b3b387642887c9e545ac248d2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1080
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
34KB

MD5
fa5391fcdd6bf8a40a0b9183d00b8c22

SHA1
b489da2cf80ee8c3f7f93fba3432c10e463b4567

SHA256
b629d536476f47e272a9ab722e2925c706747ae57f946e0c9bd6b7336568761f

SHA512
3b58d52cec2b6f163bdb11dab7162ccb0fe663d2d748848aa36ac0ecfaa2fe8ce731b7446760e33a3afe63b53b9785988754381c19d36e01427cbcf707a721f0

Download Submit
memory/1080-17-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1080-31-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1080-21-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1080-16-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/1080-13-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1204-18-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1204-22-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/2132-7-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/2132-2-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2132-0-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2132-1-0x0000000001001000-0x0000000001003000-memory.dmp

Filesize
8KB

Download
memory/2132-35-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/2132-38-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2132-52-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2772-37-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/2772-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads